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Systems  and  methods  for  secure  transaction  management  and  electronic  rights  protection 

Abstract 

The  present  invention  provides  systems  and  methods  for  secure  transaction  management  and  electronic  rights 
protection.  Electronic  appliances  such  as  computers  equipped  in  accordance  with  the  present  invention  help  to  ensure 
that  information  is  accessed  and  used  only  in  authorized  ways,  and  maintain  the  integrity,  availability,  and/or 
confidentiality  of  the  information.  Such  electronic  appliances  provide  a  distributed  virtual  distribution  environment 
(VDE)  that  may  enforce  a  secure  chain  of  handling  and  control,  for  example,  to  control  and/or  meter  or  otherwise 
monitor  use  of  electronically  stored  or  disseminated  information.  Such  a  virtual  distribution  environment  may  be  used 
to  protect  rights  of  various  participants  in  electronic  commerce  and  other  electronic  or  electronic-facilitated 
transactions.  Distributed  and  other  operating  systems,  environments  and  architectures,  such  as,  for  example,  those 
using  tamper -resistant  hardware -based  processors,  may  establish  security  at  each  node.  These  techniques  may  be  used 
to  support  an  all-electronic  information  distribution,  for  example,  utilizing  the  "electronic  highway." 
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Parent  Case  Text 


This  is  a  continuation  of  application  Ser.  No.  08/778,256,  filed  Jan.  8,  1997,  now  U.S.  Pat.  No.  5,949,876  which  is  a 
divisional  of  application  Ser.  No.  08/388,107,  filed  Feb.  13,  1995,  now  abandoned- all  of  which  are  incorporated 
herein  by  reference. 


Claims 


We  claim: 

1.  A  method  for  automated  negotiation,  including  the  following  steps:  creating  a  first  rule  set  at  a  first  site,  the  first 
rule  set  designed  to  participate  in  an  automatic  negotiation  with  a  second  rule  set; 

transmitting  the  first  rule  set  from  the  first  site  to  a  second  site, 

at  the  second  site,  performing  an  automated  negotiating  process  including: 

comparing  information  present  in  or  specified  by  the  first  rule  set  to  a  first  requirement  specified  by  a  second  rule  set 
present  at  the  second  site; 

if  the  comparison  results  in  a  first  outcome,  carrying  out  a  first  action,  the  first  action  including: 

creating  a  secure  container  consisting  of  protected  content  and  having  an  associated  third  rule  set,  the  third  rule  set 
being  created  as  a  result  of  an  interaction  between  the  first  rule  set  and  the  second  rule  set; 

transmitting  the  secure  container  from  the  second  site  to  the  first  site;  and 

using  a  rule  from  the  third  rule  set  to  govern  an  aspect  of  access  to  or  use  of  the  protected  content;  and 

if  the  comparison  results  in  a  second  outcome,  carrying  a  second  action,  which  is  different  in  at  least  one  respect  from 
the  first  action. 

2.  The  method  of  claim  1,  in  which  the  first  outcome  consists  of  an  agreement  between  a  requirement  specified  by  the 
second  rule  set  and  an  offer  specified  by  the  first  rule  set. 

3.  The  method  of  claim  2,  in  which  the  automated  negotiation  process  is  carried  out  in  a  computing  environment 
which  is  at  least  in  part  secure. 

4.  The  method  of  claim  3,  in  which  the  comparing  step  includes  the  following  substeps: 
comparing  first  information  present  in  or  specified  by  the  first  rule  set  to  the  first  requirement; 
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determining  that  the  first  information  does  not  match  the  first  requirement; 

comparing  second  information  present  in  or  specified  by  the  first  rule  set  to  a  second  requirement  specified  by  the 
second  rule  set;  and 

determining  that  the  second  information  matches  the  second  requirement. 

5.  The  method  of  claim  4,  in  which: 

the  first  requirement  includes  a  requirement  that  a  first  payment  method  be  used; 
the  second  requirement  includes  a  requirement  that  a  second  payment  method  be  used; 
the  first  information  identifies  a  payment  method  other  than  the  first  payment  method;  and 
the  second  information  identifies  the  second  payment  method. 

6.  The  method  of  claim  4,  in  which: 

the  first  requirement  includes  a  requirement  that  first  specified  identification  information  be  provided,  and  further 
specifies  a  first  price;  and 

the  second  requirement  specifies  a  second  price  which  is  higher  than  the  first  price,  but  requires  provision  of  less 
identification  information  than  the  first  specified  identification  information. 

7.  The  method  of  claim  4,  in  which  the  first  action  includes  associating  a  digital  signature  with  the  contents  of  the 
secure  container. 

8.  The  method  of  claim  1,  in  which  the  step  of  creating  a  first  rule  set  is  performed  at  least  in  part  in  a  secure 
environment  present  at  the  first  site. 

9.  The  method  of  claim  8,  in  which  the  automated  negotiating  step  is  performed  at  least  in  part  in  a  secure  environment 
present  at  the  second  site. 

10.  A  method  for  automated  negotiation,  including  the  following  steps: 
creating  a  first  rule  set  at  a  first  site; 

creating  a  second  rule  set  at  a  second  site; 

transmitting  the  first  rule  set  from  the  first  site  to  a  third  site; 

transmitting  the  second  rule  set  to  the  third  site; 

at  the  third  site,  performing  the  following  steps: 

comparing  a  requirement  specified  by  the  first  rule  set  to  a  requirement  specified  by  the  second  rule  set  and 
determining  that  the  requirements  are  consistent; 

based  at  least  in  part  on  the  results  of  the  comparison,  creating  a  third  rule  set,  the  third  rule  set  including  at  least  one 
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rule  specified  at  least  in  part  by  the  first  rule  set  and  the  second  rule  set; 
associating  the  third  rule  set  with  a  secure  container; 
encapsulating  protected  content  into  the  secure  container;  and 
transmitting  the  secure  container  to  the  first  site. 

11.  The  method  of  claim  10,  in  which  the  first  site  is  associated  with  a  first  party,  the  second  site  is  associated  with  a 
second  party,  and  the  third  site  is  associated  with  a  neutral  negotiator. 

12.  The  method  of  claim  11,  further  including: 

prior  to  the  steps  of  transmitting  the  first  rule  set  and  the  second  rule  set  to  the  third  site,  a  communication  between  the 
first  party  and  the  second  party,  the 

communication  resulting  in  agreement  to  use  the  neutral  negotiator  for  the  negotiation. 

13.  The  method  of  claim  12,  in  which  the  first  rule  set  includes  a  request  to  gain  access  to  content  owned  or  controlled 
by  the  second  party. 

14.  The  method  of  claim  13,  in  which  the  first  rule  set  includes  a  specification  of  a  first  price  the  first  party  is  willing 
to  or  desires  to  pay  for  the  content  access. 

15.  The  method  of  claim  14,  in  which  the  second  rule  set  includes  a  specification  of  a  second  price  the  second  party 
requires  or  desires  in  order  to  grant  access  to  the  content. 

16.  The  method  of  claim  15,  in  which  the  comparing  step  includes  comparing  the  first  price  to  the  second  price  and 
determining  whether  the  first  price  is  equal  to  or  exceeds  the  second  price. 

17.  The  method  of  claim  16,  in  which  the  first  rule  set  includes  a  specification  of  a  first  payment  method  the  first  party 
is  willing  to  use  to  pay  for  the  content  access. 

18.  The  method  of  claim  17,  in  which  the  second  rule  set  includes  a  specification  of  a  second  payment  method  the 
second  party  is  willing  to  accept  for  payment  for  the  content  access. 

19.  The  method  of  claim  18,  in  which  the  comparing  step  includes  comparing  the  first  payment  method  to  the  second 
payment  method  to  determine  whether  they  are  consistent. 

20.  The  method  of  claim  19,  in  which  the  first  rule  set  includes  a  specification  of  first  information  the  first  party  is 
willing  to  or  desires  to  disclose  in  return  for  gaining  access  to  the  content. 

21.  The  method  of  claim  20,  in  which  the  second  rule  set  includes  a  specification  of  second  information  the  second 
party  desires  or  requires  in  return  for  providing  access  to  the  content. 

22.  The  method  of  claim  21,  in  which  the  comparing  step  includes  comparing  the  first  information  specification  to  the 
second  information  specification  to  determine  whether  they  are  consistent. 

23.  The  method  of  claim  22,  in  which  the  second  rule  set  also  specifies  a  third  price,  which  is  lower  than  the  second 
price,  and  further  specifies  that  the  third  price  may  be  used  if  the  first  party  agrees  to  provide  the  second  information, 
but  that  the  second  price  must  be  used  if  the  first  party  refuses  to  provide  the  second  information,  and 
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the  comparing  step  includes  determining  whether  the  first  party  is  willing  to  provide  the  second  information  and, 

if  the  first  party  is  willing  to  provide  the  second  information,  using  the  third  price  instead  of  the  second  price  in  the 
step  of  comparing  price  information. 

24.  A  method  for  automated  negotiation  including  the  following  steps: 

generating  a  first  rule  set  including  a  first  rule  from  a  first  party  which  owns  or  at  least  in  part  controls  governed 
content  and  a  second  rule  from  a  second  party  which  constitutes  or  includes  a  clearinghouse; 

incorporating  the  governed  content  into  a  secure  container; 

storing  the  first  rule  set  at  a  first  site; 

transmitting  a  second  rule  set  from  a  second  site  to  the  first  site,  the  second  rule  set  including  a  third  rule  from  a  third 
party; 

comparing  at  least  a  portion  of  the  first  rule  set  to  at  least  a  portion  of  the  second  rule  set;  and 
based  on  the  results  of  the  comparison,  providing  access  to  the  secure  container  to  the  third  party. 

25.  The  method  of  claim  24,  further  including:  placing  the  second  rule  set  in  a  secure  container,  the  step  of 
transmitting  the  second  rule  set  from  the  second  site  to  the  first  site  constituting  transmitting  the  secure  container. 

26.  The  method  of  claim  25,  further  including: 

as  a  result  of  the  comparison  step,  transmitting  the  secure  container  containing  the  governed  content  to  the  second  site. 

27.  The  method  of  claim  26,  further  including: 

as  a  result  of  the  comparison  step,  generating  digital  information  specifying  at  least  some  of  the  terms  agreed  to  in  the 
negotiation. 

28.  The  method  of  claim  27,  further  including: 
associating  a  digital  signature  with  the  digital  information. 

29.  A  method  of  automated  negotiation  including: 

creating  a  first  rule  set  representing  a  negotiating  position  of  a  first  party; 

incorporating  the  first  rule  set  into  a  first  secure  container; 

creating  a  second  rule  set  representing  a  negotiating  position  of  a  second  party; 

incorporating  the  second  rule  set  into  a  second  secure  container; 

selecting  a  negotiation  site  associated  with  a  third  party; 


Page  19  of  54 


transmitting  the  first  and  the  second  secure  containers  to  the  negotiation  site; 

at  the  negotiation  site,  comparing  an  attribute  of  the  first  rule  set  to  an  attribute  of  the  second  rule  set  to  determine 
whether  the  attributes  are  compatible  and,  depending  on  the  results  of  the  comparison,  determining  that  the  negotiation 
has  succeeded,  determining  that  the  negotiation  has  failed,  or  determining  that  an  additional  comparison  is  required; 

if  the  negotiation  has  succeeded,  transmitting  a  third  secure  container  to  the  first  party,  the  third  secure  container 
containing  governed  content; 

if  the  negotiation  has  failed,  informing  both  parties  of  the  failure,  and  not  transmitting  the  third  secure  container  to  the 
first  party;  and 

if  an  additional  comparison  is  required,  performing  that  comparison,  and  repeating  until  the  negotiation  either 
succeeds  or  fails. 

30.  The  method  of  claim  29,  in  which  the  second  party  is  a  content  distributor,  and  the  second  rule  set  includes  a  rule 
generated  by  a  third  party,  the  third  party  constituting  an  owner  of  at  least  some  rights  to  the  governed  content. 

Description 


FIELD(S)  OF  THE  INVENTION(S) 

This  invention  generally  relates  to  computer  and/or  electronic  security. 

More  particularly,  this  invention  relates  to  systems  and  techniques  for  secure  transaction  management.  This  invention 
also  relates  to  computer-based  and  other  electronic  appliance -based  technologies  that  help  to  ensure  that  information  is 
accessed  and/or  otherwise  used  only  in  authorized  ways,  and  maintains  the  integrity,  availability,  and/or 
confidentiality  of  such  information  and  processes  related  to  such  use. 

The  invention  also  relates  to  systems  and  methods  for  protecting  rights  of  various  participants  in  electronic  commerce 
and  other  electronic  or  electronically-facilitated  transactions. 

The  invention  also  relates  to  secure  chains  of  handling  and  control  for  both  information  content  and  information 
employed  to  regulate  the  use  of  such  content  and  consequences  of  such  use.  It  also  relates  to  systems  and  techniques 
that  manage,  including  meter  and/or  limit  and/or  otherwise  monitor  use  of  electronically  stored  and/or  disseminated 
information.  The  invention  particularly  relates  to  transactions,  conduct  and  arrangements  that  make  use  of,  including 
consequences  of  use  of,  such  systems  and/or  techniques. 

The  invention  also  relates  to  distributed  and  other  operating  systems,  environments  and  architectures.  It  also  generally 
relates  to  secure  architectures,  including,  for  example,  tamper -resistant  hardware -based  processors,  that  can  be  used  to 
establish  security  at  each  node  of  a  distributed  system. 

BACKGROUND  AND  SUMMARY  OF  THE  INVENTION(S) 

Telecommunications,  financial  transactions,  government  processes,  business  operations,  entertainment,  and  personal 
business  productivity  all  now  depend  on  electronic  appliances.  Millions  of  these  electronic  appliances  have  been 
electronically  connected  together.  These  interconnected  electronic  appliances  comprise  what  is  increasingly  called  the 
"information  highway. "Many  businesses,  academicians,  and  government  leaders  are  concerned  about  how  to  protect 
the  rights  of  citizens  and  organizations  who  use  this  information  (also  "electronic"  or  "digital")  highway. 
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Electronic  Content 

Today,  virtually  anything  that  can  be  represented  by  words,  numbers,  graphics,  or  system  of  commands  and 
instructions  can  be  formatted  into  electronic  digital  information.  Television,  cable,  satellite  transmissions,  and  on-line 
services  transmitted  over  telephone  lines,  compete  to  distribute  digital  information  and  entertainment  to  homes  and 
businesses.  The  owners  and  marketers  of  this  content  include  software  developers,  motion  picture  and  recording 
companies,  publishers  of  books,  magazines,  and  newspapers,  and  information  database  providers.  The  popularization 
of  on-line  services  has  also  enabled  the  individual  personal  computer  user  to  participate  as  a  content  provider.  It  is 
estimated  that  the  worldwide  market  for  electronic  information  in  1992  was  approximately  $40  billion  and  is  expected 
to  grow  to  $200  billion  by  1997,  according  to  Microsoft  Corporation.  The  present  invention  can  materially  enhance  the 
revenue  of  content  providers,  lower  the  distribution  costs  and  the  costs  for  content,  better  support  advertising  and 
usage  information  gathering,  and  better  satisfy  the  needs  of  electronic  information  users.  These  improvements  can  lead 
to  a  significant  increase  in  the  amount  and  variety  of  electronic  information  and  the  methods  by  which  such 
information  is  distributed. 

The  inability  of  conventional  products  to  be  shaped  to  the  needs  of  electronic  information  providers  and  users  is 
sharply  in  contrast  to  the  present  invention.  Despite  the  attention  devoted  by  a  cross-section  of  America's  largest 
telecommunications,  computer,  entertainment  and  information  provider  companies  to  some  of  the  problems  addressed 
by  the  present  invention,  only  the  present  invention  provides  commercially  secure,  effective  solutions  for  configurable, 
general  purpose  electronic  commerce  transaction/distribution  control  systems. 

Controlling  Electronic  Content 

The  present  invention  provides  a  new  kind  of  "virtual  distribution  environment"  (called  "VDE"  in  this  document)  that 
secures,  administers,  and  audits  electronic  information  use.  VDE  also  features  fundamentally  important  capabilities  for 
managing  content  that  travels  "across"  the  "information  highway."  These  capabilities  comprise  a  rights  protection 
solution  that  serves  all  electronic  community  members.  These  members  include  content  creators  and  distributors, 
financial  service  providers,  end-users,  and  others.  VDE  is  the  first  general  purpose,  configurable,  transaction 
control/rights  protection  solution  for  users  of  computers,  other  electronic  appliances,  networks,  and  the  information 
highway. 

A  fundamental  problem  for  electronic  content  providers  is  extending  their  ability  to  control  the  use  of  proprietary 
information.  Content  providers  often  need  to  limit  use  to  authorized  activities  and  amounts.  Participants  in  a  business 
model  involving,  for  example,  provision  of  movies  and  advertising  on  optical  discs  may  include  actors,  directors, 
script  and  other  writers,  musicians,  studios,  publishers,  distributors,  retailers,  advertisers,  credit  card  services,  and 
content  end-users.  These  participants  need  the  ability  to  embody  their  range  of  agreements  and  requirements,  including 
use  limitations,  into  an  "extended"  agreement  comprising  an  overall  electronic  business  model.  This  extended 
agreement  is  represented  by  electronic  content  control  information  that  can  automatically  enforce  agreed  upon  rights 
and  obligations.  Under  VDE,  such  an  extended  agreement  may  comprise  an  electronic  contract  involving  all  business 
model  participants.  Such  an  agreement  may  alternatively,  or  in  addition,  be  made  up  of  electronic  agreements  between 
subsets  of  the  business  model  participants.  Through  the  use  of  VDE,  electronic  commerce  can  function  in  the  same 
way  as  traditional  commerce— that  is  commercial  relationships  regarding  products  and  services  can  be  shaped  through 
the  negotiation  of  one  or  more  agreements  between  a  variety  of  parties. 

Commercial  content  providers  are  concerned  with  ensuring  proper  compensation  for  the  use  of  their  electronic 
information.  Electronic  digital  information,  for  example  CD  recording,  can  today  be  copied  relatively  easily  and 
inexpensively.  Similarly,  unauthorized  copying  and  use  of  software  programs  deprives  rightful  owners  of  billions  of 
dollars  in  annual  revenue  according  to  the  International  Intellectual  Property  Alliance.  Content  providers  and 
distributors  have  devised  a  number  of  limited  function  rights  protection  mechanisms  to  protect  their  rights. 
Authorization  passwords  and  protocols,  license  servers,  "lock/unlock"  distribution  methods,  and  non -electronic 
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contractual  limitations  imposed  on  users  of  shrink-wrapped  software  are  a  few  of  the  more  prevalent  content 
protection  schemes.  In  a  commercial  context,  these  efforts  are  inefficient  and  limited  solutions. 

Providers  of  "electronic  currency"  have  also  created  protections  for  their  type  of  content.  These  systems  are  not 
sufficiently  adaptable,  efficient,  nor  flexible  enough  to  support  the  generalized  use  of  electronic  currency. 

Furthermore,  they  do  not  provide  sophisticated  auditing  and  control  configuration  capabilities.  This  means  that  current 
electronic  currency  tools  lack  the  sophistication  needed  for  many  real-world  financial  business  models.  VDE  provides 
means  for  anonymous  currency  and  for  "conditionally"  anonymous  currency,  wherein  currency  related  activities 
remain  anonymous  except  under  special  circumstances. 

VDE  Control  Capabilities 

VDE  allows  the  owners  and  distributors  of  electronic  digital  information  to  reliably  bill,  for,  and  securely  control, 
audit,  and  budget  the  use  of,  electronic  information.  It  can  reliably  detect  and  monitor  the  use  of  commercial 
information  products.  VDE  uses  a  wide  variety  of  different  electronic  information  delivery  means:  including,  for 
example,  digital  networks,  digital  broadcast,  and  physical  storage  media  such  as  optical  and  magnetic  disks.  VDE  can 
be  used  by  major  network  providers,  hardware  manufacturers,  owners  of  electronic  information,  providers  of  such 
information,  and  clearinghouses  that  gather  usage  information  regarding,  and  bill  for  the  use  of,  electronic 
information. 

VDE  provides  comprehensive  and  configurable  transaction  management,  metering  and  monitoring  technology.  It  can 
change  how  electronic  information  products  are  protected,  marketed,  packaged,  and  distributed.  When  used,  VDE 
should  result  in  higher  revenues  for  information  providers  and  greater  user  satisfaction  and  value.  Use  of  VDE  will 
normally  result  in  lower  usage  costs,  decreased  transaction  costs,  more  efficient  access  to  electronic  information, 
reusability  of  rights  protection  and  other  transaction  management  implementations,  greatly  improved  flexibility  in  the 
use  of  secured  information,  and  greater  standardization  of  tools  and  processes  for  electronic  transaction  management. 
VDE  can  be  used  to  create  an  adaptable  environment  that  fulfills  the  needs  of  electronic  information  owners, 
distributors,  and  users;  financial  clearinghouses;  and  usage  information  analyzers  and  resellers. 

Rights  and  Control  Information 

In  general,  the  present  invention  can  be  used  to  protect  the  rights  of  parties  who  have: 

(a)  proprietary  or  confidentiality  interests  in  electronic  information.  It  can,  for  example,  help  ensure  that  information  is 
used  only  in  authorized  ways; 

(b)  financial  interests  resulting  from  the  use  of  electronically  distributed  information.  It  can  help  ensure  that  content 
providers  will  be  paid  for  use  of  distributed  information;  and 

(c)  interests  in  electronic  credit  and  electronic  currency  storage,  communication,  and/or  use  including  electronic  cash, 
banking,  and  purchasing. 

Protecting  the  rights  of  electronic  community  members  involves  a  broad  range  of  technologies.  VDE  combines  these 
technologies  in  a  way  that  creates  a  "distributed"  electronic  rights  protection  "environment."  This  environment  secures 
and  protects  transactions  and  other  processes  important  for  rights  protection.  VDE,  for  example,  provides  the  ability  to 
prevent,  or  impede,  interference  with  and/or  observation  of,  important  rights  related  transactions  and  processes.  VDE, 
in  its  preferred  embodiment,  uses  special  purpose  tamper  resistant  Secure  Processing  Units  (SPUs)  to  help  provide  a 
high  level  of  security  for  VDE  processes  and  information  storage  and  communication. 

The  rights  protection  problems  solved  by  the  present  invention  are  electronic  versions  of  basic  societal  issues.  These 
issues  include  protecting  property  rights,  protecting  privacy  rights,  properly  compensating  people  and  organizations 
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for  their  work  and  risk,  protecting  money  and  credit,  and  generally  protecting  the  security  of  information.  VDE 
employs  a  system  that  uses  a  common  set  of  processes  to  manage  rights  issues  in  an  efficient,  trusted,  and  cost- 
effective  way. 

VDE  can  be  used  to  protect  the  rights  of  parties  who  create  electronic  content  such  as,  for  example:  records,  games, 
movies,  newspapers,  electronic  books  and  reference  materials,  personal  electronic  mail,  and  confidential  records  and 
communications.  The  invention  can  also  be  used  to  protect  the  rights  of  parties  who  provide  electronic  products,  such 
as  publishers  and  distributors;  the  rights  of  parties  who  provide  electronic  credit  and  currency  to  pay  for  use  of 
products,  for  example,  credit  clearinghouses  and  banks;  the  rights  to  privacy  of  parties  who  use  electronic  content 
(such  as  consumers,  business  people,  governments);  and  the  privacy  rights  of  parties  described  by  electronic 
information,  such  as  privacy  rights  related  to  information  contained  in  a  medical  record,  tax  record,  or  personnel 
record. 

In  general,  the  present  invention  can  protect  the  rights  of  parties  who  have: 

(a)  commercial  interests  in  electronically  distributed  information— the  present  invention  can  help  ensure,  for  example, 
that  parties,  will  be  paid  for  use  of  distributed  information  in  a  manner  consistent  with  their  agreement; 

(b)  proprietary  and/or  confidentiality  interests  in  electronic  information— the  present  invention  can,  for  example,  help 
ensure  that  data  is  used  only  in  authorized  ways; 

(c)  interests  in  electronic  credit  and  electronic  currency  storage,  communication,  and/or  use— this  can  include 
electronic  cash,  banking,  and  purchasing;  and 

(d)  interests  in,  electronic  information  derived,  at  least  in  part,  from  use  of  other  electronic  information. 

VDE  Functional  Properties 

VDE  is  a  cost-effective  and  efficient  rights  protection  solution  that  provides  a  unified,  consistent  system  for  securing 
and  managing  transaction  processing.  VDE  can: 

(a)  audit  and  analyze  the  use  of  content, 

(b)  ensure  that  content  is  used  only  in  authorized  ways,  and 

(c)  allow  information  regarding  content  usage  to  be  used  only  in  ways  approved  by  content  users. 

In  addition,  VDE: 

(a)  is  very  configurable,  modifiable,  and  re-usable; 

(b)  supports  a  wide  range  of  useful  capabilities  that  may  be  combined  in  different  ways  to  accommodate  most  potential 
applications; 

(c)  Operates  a  wide  variety  of  electronic  appliances  ranging  from  hand-held  inexpensive  devices  to  large  mainframe 
computers; 

(d)  is  able  to  ensure  the  various  rights  of  a  number  of  different  parties,  and  a  number  of  different  rights  protection 
schemes,  simultaneously; 

(e)  is  able  to  preserve  the  rights  of  parties  through  a  series  of  transactions  that  may  occur  at  different  times  and 
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different  locations; 

(f)  is  able  to  flexibly  accommodate  different  ways  of  securely  delivering  information  and  reporting  usage;  and 

(g)  provides  for  electronic  analogues  to  "real"  money  and  credit,  including  anonymous  electronic  cash,  to  pay  for 
products  and  services  and  to  support  personal  (including  home)  banking  and  other  financial  activities. 

VDE  economically  and  efficiently  fulfills  the  rights  protection  needs  of  electronic  community  members.  Users  of  VDE 
will  not  require  additional  rights  protection  systems  for  different  information  highway  products  and  rights  problems— 
nor  will  they  be  required  to  install  and  leam  a  new  system  for  each  new  information  highway  application. 

VDE  provides  a  unified  solution  that  allows  all  content  creators,  providers,  and  users  to  employ  the  same  electronic 
rights  protection  solution.  Under  authorized  circumstances,  the  participants  can  freely  exchange  content  and  associated 
content  control  sets.  This  means  that  a  user  of  VDE  may,  if  allowed,  use  the  same  electronic  system  to  work  with 
different  kinds  of  content  having  different  sets  of  content  control  information.  The  content  and  control  information 
supplied  by  one  group  can  be  used  by  people  who  normally  use  content  and  control  information  supplied  by  a  different 
group.  VDE  can  allow  content  to  be  exchanged  "universally"  and  users  of  an  implementation  of  the  present  invention 
can  interact  electronically  without  fear  of  incompatibilities  in  content  control,  violation  of  rights,  or  the  need  to  get, 
install,  or  learn  a  new  content  control  system. 

The  VDE  securely  administers  transactions  that  specify  protection  of  rights.  It  can  protect  electronic  rights  including, 
for  example: 

(a)  the  property  rights  of  authors  of  electronic  content, 

(b)  the  commercial  rights  of  distributors  of  content, 

(c)  the  rights  of  any  parties  who  facilitated  the  distribution  of  content, 

(d)  the  privacy  rights,  of  users  of  content, 

(e)  the  privacy  rights  of  parties  portrayed  by  stored  and/or  distributed  content,  and 

(f)  any  other  rights  regarding  enforcement  of  electronic  agreements. 

VDE  can  enable  a  very  broad  variety  of  electronically  enforced  commercial  and  societal  agreements.  These 
agreements  can  include  electronically  implemented  contracts,  licenses,  laws,  regulations,  and  tax  collection. 

Contrast  with  Traditional  Solutions 

Traditional  content  control  mechanisms  often  require  users  to  purchase  more  electronic  information  than  the  user 
needs  or  desires.  For  example,  infrequent  users  of  shrink-wrapped  software  are  required  to  purchase  a  program  at  the 
same  price  as  frequent  users,  even  though  they  may  receive  much  less  value  from  their  less  frequent  use.  Traditional 
systems  do  not  scale  cost  according  to  the  extent  or  character  of  usage  and  traditional  systems  can  not  attract  potential 
customers  who  find  that  a  fixed  price  is  too  high.  Systems  using  traditional  mechanisms  are  also  not  normally 
particularly  secure.  For  example,  shrink-wrapping  does  not  prevent  the  constant  illegal  pirating  of  software  once 
removed  from  either  its  physical  or  electronic  package. 

Traditional  electronic  information  rights  protection  systems  are  often  inflexible  and  inefficient  and  may  cause  a 
content  provider  to  choose  costly  distribution  channels  that  increase  a  product's  price.  In  general  these  mechanisms 
restrict  product  pricing,  configuration,  and  marketing  flexibility.  These  compromises  are  the  result  of  techniques  for 
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controlling  information  which  cannot  accommodate  both  different  content  models  and  content  models  which  reflect 
the  many,  varied  requirements  such  as  content  delivery  strategies  of  the  model  participants.  This  can  limit  a  provider's 
ability  to  deliver  sufficient  overall  value  to  justify  a  given  product's  cost  in  the  eyes  of  many  potential  users.  VDE 
allows  content  providers  and  distributors  to  create  applications  and  distribution  networks  that  reflect  content  providers' 
and  users'  preferred  business  models.  It  offers  users  a  uniquely  cost  effective  and  feature  rich  system  that  supports  the 
ways  providers  want  to  distribute  information  and  the  ways  users  want  to  use  such  information.  VDE  supports  content 
control  models  that  ensure  rights  and  allow  content  delivery  strategies  to  be  shaped  for  maximum  commercial  results. 

Chain  of  Handling  and  Control 

VDE  can  protect  a  collection  of  rights  belonging  to  various  parties  having  in  rights  in,  or  to,  electronic  information. 
This  information  may  be  at  one  location  or  dispersed  across  (and/or  moving  between)  multiple  locations.  The 
information  may  pass  through  a  "chain"  of  distributors  and  a  "chain"  of  users.  Usage  information  may  also  be  reported 
through  one  or  more  "chains"  of  parties.  In  general,  VDE  enables  parties  that  (a)  have  rights  in  electronic  information, 
and/or  (b)  act  as  direct  or  indirect  agents  for  parties  who  have  rights  in  electronic  information,  to  ensure  that  the 
moving,  accessing,  modifying,  or  otherwise  using  of  information  can  be  securely  controlled  by  rules  regarding  how, 
when,  where,  and  by  whom  such  activities  can  be  performed. 

VDE  Applications  and  Software 

VDE  is  a  secure  system  for  regulating  electronic  conduct  and  commerce.  Regulation  is  ensured  by  control  information 
put  in  place  by  one  or  more  parties.  These  parties  may  include  content  providers,  electronic  hardware  manufacturers, 
financial  service  providers,  or  electronic  "infrastructure"  companies  such  as  cable  or  telecommunications  companies. 
The  control  information  implements  "Rights  Applications."  Rights  applications  "run  on"  the  "base  software"  of  the 
preferred  embodiment.  This  base  software  serves  as  a  secure,  flexible,  general  purpose  foundation  that  can 
accommodate  many  different  rights  applications,  that  is,  many  different  business  models  and  their  respective 
participant  requirements. 

A  rights  application  under  VDE  is  made  up  of  special  purpose  pieces,  each  of  which  can  correspond  to  one  or  more 
basic  electronic  processes  needed  for  a  rights  protection  environment.  These  processes  can  be  combined  together  like 
building  blocks  to  create  electronic  agreements  that  can  protect  the  rights,  and  may  enforce  fulfillment  of  the 
obligations,  of  electronic  information  users  and  providers.  One  or  more  providers  of  electronic  information  can  easily 
combine  selected  building  blocks  to  create  a  rights  application  that  is  unique  to  a  specific  content  distribution  model. 

A  group  of  these  pieces  can  represent  the  capabilities  needed  to  fulfill  the  agreements)  between  users  and  providers. 
These  pieces  accommodate  many  requirements  of  electronic  commerce  including: 

the  distribution  of  permissions  to  use  electronic  information; 

the  persistence  of  the  control  information  and  sets  of  control  information  managing  these  permissions; 
configurable  control  set  information  that  can  be  selected  by  users  for  use  with  such  information; 
data  security  and  usage  auditing  of  electronic  information;  and 
a  secure  system  for  currency,  compensation  and  debit  management. 

For  electronic  commerce,  a  rights  application,  under  the  preferred  embodiment  of  the  present  invention,  can  provide 
electronic  enforcement  of  the  business  agreements  between  all  participants.  Since  different  groups  of  components  can 
be  put  together  for  different  applications,  the  present  invention  can  provide  electronic  control  information  for  a  wide 
variety  of  different  products  and  markets.  This  means  the  present  invention  can  provide  a  "unified,"  efficient,  secure, 
and  cost-effective  system  for  electronic  commerce  and  data  security.  This  allows  VDE  to  serve  as  a  single  standard  for 
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electronic  rights  protection,  data  security,  and  electronic  currency  and  banking. 

In  a  VDE,  the  separation  between  a  rights  application  and  its  foundation  permits  the  efficient  selection  of  sets  of 
control  information  that  are  appropriate  for  each  of  many  different  types  of  applications  and  uses.  These  control  sets 
can  reflect  both  rights  of  electronic  community  members,  as  well  as  obligations  (such  as  providing  a  history  of  one's 
use  of  a  product  or  paying  taxes  on  one's  electronic  purchases).  VDE  flexibility  allows  its  users  to  electronically 
implement  and  enforce  common  social  and  commercial  ethics  and  practices.  By  providing  a  unified  control  system, 
the  present  invention  supports  a  vast  range  of  possible  transaction  related  interests  and  concerns  of  individuals, 
communities,  businesses,  and  governments.  Due  to  its  open  design,  VDE  allows  (normally  under  securely  controlled 
circumstances)  applications  using  technology  independently  created  by  users  to  be  "added"  to  the  system  and  used  in 
conjunction  with  the  foundation  of  the  invention.  In  sum,  VDE  provides  a  system  that  can  fairly  reflect  and  enforce 
agreements  among  parties.  It  is  a  broad  ranging  and  systematic  solution  that  answers  the  pressing  need  for  a  secure, 
cost-effective,  and  fair  electronic  environment. 

VDE  Implementation 

The  preferred  embodiment  of  the  present  invention  includes  various  tools  that  enable  system  designers  to  directly 
insert  VDE  capabilities  into  their  products.  These  tools  include  an  Application  Programmer's  Interface  ("API")  and  a 
Rights  Permissioning  and  Management  Language  ("RPML").  The  RPML  provides  comprehensive  and  detailed  control 
over  the  use  of  the  invention's  features.  VDE  also  includes  certain  user  interface  subsystems  for  satisfying  the  needs  of 
content  providers,  distributors,  and  users. 

Information  distributed  using  VDE  may  take  many  forms.  It  may,  for  example,  be  "distributed"  for  use  on  an 
individuals  own  computer,  that  is  the  present  invention  can  be  used  to  provide  security  for  locally  stored  data. 
Alternatively,  VDE  may  be  used  with  information  that  is  dispersed  by  authors  and/or  publishers  to  one  or  more 
recipients.  This  information  may  take  many  forms  including:  movies,  audio  recordings,  games,  electronic  catalog 
shopping,  multimedia,  training  materials,  E-mail  and  personal  documents,  object  oriented  libraries,  software 
programming  resources,  and  reference/record  keeping  information  resources  (such  as  business,  medical,  legal, 
scientific,  governmental,  and  consumer  databases). 

Electronic  rights  protection  provided  by  the  present  invention  will  also  provide  an  important  foundation  for  trusted  and 
efficient  home  and  commercial  banking,  electronic  credit  processes,  electronic  purchasing,  true  or  conditionally 
anonymous  electronic  cash,  and  EDI  (Electronic  Data  Interchange).  VDE  provides  important  enhancements  for 
improving  data  security  in  organizations  by  providing  "smart"  transaction  management  features  that  can  be  far  more 
effective  than  key  and  password  based  "go/no  go"  technology. 

VDE  normally  employs  an  integration  of  cryptographic  and  other  security  technologies  (e.g.  encryption,  digital 
signatures,  etc.),  with  other  technologies  including:  component,  distributed,  and  event  driven  operating  system 
technology,  and  related  communications,  object  container,  database,  smart  agent,  smart  card,  and  semiconductor 
design  technologies. 

I.  Overview 

A.  VDE  Solves  Important  Problems  and  Fills  Critical  Needs 

The  world  is  moving  towards  an  integration  of  electronic  information  appliances.  This  interconnection  of  appliances 
provides  a  foundation  for  much  greater  electronic  interaction  and  the  evolution  of  electronic  commerce.  A  variety  of 
capabilities  are  required  to  implement  an  electronic  commerce  environment.  VDE  is  the  first  system  that  provides 
many  of  these  capabilities  and  therefore  solves  fundamental  problems  related  to  electronic  dissemination  of 
information. 
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Electronic  Content 

VDE  allows  electronic  arrangements  to  be  created  involving  two  or  more  parties.  These  agreements  can  themselves 
comprise  a  collection  of  agreements  between  participants  in  a  commercial  value  chain  and/or  a  data  security  chain 
model  for  handling,  auditing,  reporting,  and  payment.  It  can  provide  efficient,  reusable,  modifiable,  and  consistent 
means  for  secure  electronic  content:  distribution,  usage  control,  usage  payment,  usage  auditing,  and  usage  reporting. 
Content  may,  for  example,  include: 

financial  information  such  as  electronic  currency  and  credit; 

commercially  distributed  electronic  information  such  as  reference  databases,  movies,  games,  and  advertising;  and 

electronic  properties  produced  by  persons  and  organizations,  such  as  documents,  e-mail,  and  proprietary  database 
information. 

VDE  enables  an  electronic  commerce  marketplace  that  supports  differing,  competitive  business  partnerships, 
agreements,  and  evolving  overall  business  models. 

The  features  of  VDE  allow  it  to  function  as  the  first  trusted  electronic  information  control  environment  that  can 
conform  to,  and  support  the  bulk  of  conventional  electronic  commerce  and  data  security  requirements.  In  particular, 
VDE  enables  the  participants  in  a  business  value  chain  model  to  create  an  electronic  version  of  traditional  business 
agreement  terms  and  conditions  and  further  enables  these  participants  to  shape  and  evolve  their  electronic  commerce 
models  as  they  believe  appropriate  to  their  business  requirements. 

VDE  offers  an  architecture  that  avoids  reflecting  specific  distribution  biases,  administrative  and  control  perspectives, 
and  content  types.  Instead,  VDE  provides  a  broad-spectrum,  fundamentally  configurable  and  portable,  electronic 
transaction  control,  distributing,  usage,  auditing,  reporting,  and  payment  operating  environment.  VDE  is  not  limited  to 
being  an  application  or  application  specific  toolset  that  covers  only  a  limited  subset  of  electronic  interaction  activities 
and  participants.  Rather,  VDE  supports  systems  by  which  such  applications  can  be  created,  modified,  and/or  reused. 
As  a  result,  the  present  invention  answers  pressing,  unsolved  needs  by  offering  a  system  that  supports  a  standardized 
control  environment  which  facilitates  interoperability  of  electronic  appliances,  interoperability  of  content  containers, 
and  efficient  creation  of  electronic  commerce  applications  and  models  through  the  use  of  a  programmable,  secure 
electronic  transactions  management  foundation  and  reusable  and  extensible  executable  components.  VDE  can  support 
a  single  electronic  "world"  within  which  most  forms  of  electronic  transaction  activities  can  be  managed. 

To  answer  the  developing  needs  of  rights  owners  and  content  providers  and  to  provide  a  system  that  can  accommodate 
the  requirements  and  agreements  of  all  parties  that  may  be  involved  in  electronic  business  models  (creators 
distributors,  administrators,  users,  credit  providers,  etc.),  VDE  supplies  an  efficient,  largely  transparent,  low  cost  and 
sufficiently  secure  system  (supporting  both  hardware/software  and  software  only  models).  VDE  provides  the  widely 
varying  secure  control  and  administration  capabilities  required  for: 

1 .  Different  types  of  electronic  content, 

2.  Differing  electronic  content  delivery  schemes, 

3.  Differing  electronic  content  usage  schemes, 

4.  Different  content  usage  platforms,  and 

5.  Differing  content  marketing  and  model  strategies. 
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VDE  may  be  combined  with,  or  integrated  into,  many  separate  computers  and/or  other  electronic  appliances.  These 
appliances  typically  include  a  secure  subsystem  that  can  enable  control  of  content  use  such  as  displaying,  encrypting, 
decrypting,  printing,  copying,  saving,  extracting,  embedding,  distributing,  auditing  usage,  etc.  The  secure  subsystem  in 
the  preferred  embodiment  comprises  one  or  more  "protected  processing  environments",  one  or  more  secure  databases, 
and  secure  "component  assemblies"  and  other  items  and  processes  that  need  to  be  kept  secured.  VDE  can,  for  example, 
securely  control  electronic  currency,  payments,  and/or  credit  management,  (including  electronic  credit  and/or  currency 
receipt  disbursement,  encumbering,  and/or  allocation)  using  such  a  "secure  subsystem." 

VDE  provides  a  secure,  distributed  electronic  transaction  management  system  for  controlling  the  distribution  and/or 
other  usage  of  electronically  provided  and/or  stored  information.  VDE  controls  auditing  and  reporting  of  electronic 
content  and/or  appliance  usage.  Users  of  VDE  may  include  content  creators  who  apply  content  usage,  usage  reporting, 
and/or  usage  payment  related  control  information  to  electronic  content  and/or  appliances  for  users  such  as  end-user 
organizations,  individuals,  and  content  and/or  appliance  distributors.  VDE  also  securely  supports  the  payment  of 
money  owed  (including  money  owed  for  content  and/or  appliance  usage)  by  one  or  more  parties  to  one  or  more  other 
parties,  in  the  form  of  electronic  credit  and/or  currency. 

Electronic  appliances  under  control  of  VDE  represent  VDE  'nodes'  that  securely  process  and  control;  distributed 
electronic  information  and/or  appliance  usage,  control  information  formulation,  and  related  transactions.  VDE  can 
securely  manage  the  integration  of  control  information  provided  by  two  or  more  parties.  As  a  result,  VDE  can 
construct  an  electronic  agreement  between  VDE  participants  that  represent  a  "negotiation"  between,  the  control 
requirements  of,  two  or  more  parties  and  enacts  terms  and  conditions  of  a  resulting  agreement.  VDE  ensures  the  rights 
of  each  party  to  an  electronic  agreement  regarding  a  wide  range  of  electronic  activities  related  to  electronic 
information  and/or  appliance  usage. 

Through  use  of  VDE's  control  system,  traditional  content  providers  and  users  can  create  electronic  relationships  that 
reflect  traditional,  non -electronic  relationships.  They  can  shape  and  modify  commercial  relationships  to  accommodate 
the  evolving  needs  of,  and  agreements  among,  themselves.  VDE  does  not  require  electronic  content  providers  and 
users  to  modify  their  business  practices  and  personal  preferences  to  conform  to  a  metering  and  control  application 
program  that  supports  limited,  largely  fixed  functionality.  Furthermore,  VDE  permits  participants  to  develop  business 
models  not  feasible  with  non -electronic  commerce,  for  example,  involving  detailed  reporting  of  content  usage 
information,  large  numbers  of  distinct  transactions  at  hitherto  infeasibly  low  price  points,  "pass-along"  control 
information  that  is  enforced  without  involvement  or  advance  knowledge  of  the  participants,  etc. 

The  present  invention  allows  content  providers  and  users  to  formulate  their  transaction  environment  to  accommodate: 

(1)  desired  content  models,  content  control  models,  and  content  usage  information  pathways, 

(2)  a  complete  range  of  electronic  media  and  distribution  means, 

(3)  a  broad  range  of  pricing,  payment,  and  auditing  strategies, 

(4)  very  flexible  privacy  and/or  reporting  models, 

(5)  practical  and  effective  security  architectures,  and 

(6)  other  administrative  procedures  that  together  with  steps  (1)  through  (5)  can  enable  most  "real  world"  electronic 
commerce  and  data  security  models,  including  models  unique  to  the  electronic  world. 

VDE's  transaction  management  capabilities  can  enforce: 

(1)  privacy  rights  of  users  related  to  information  regarding  their  usage  of  electronic  information  and/or  appliances, 
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(2)  societal  policy  such  as  laws  that  protect  rights  of  content  users  or  require  the  collection  of  taxes  derived  from 
electronic  transaction  revenue,  and 

(3)  the  proprietary  and/or  other  rights  of  parties  related  to  ownership  of,  distribution  of,  and/or  other  commercial  rights 
related  to,  electronic  information. 

VDE  can  support  "real"  commerce  in  an  electronic  form,  that  is  the  progressive  creation  of  commercial  relationships 
that  form,  over  time,  a  network  of  interrelated  agreements  representing  a  value  chain  business  model.  This  is  achieved 
in  part  by  enabling  content  control  information  to  develop  through  the  interaction  of  (negotiation  between)  securely 
created  and  independently  submitted  sets  of  content  and/or  appliance  control  information.  Different  sets  of  content 
and/or  appliance  control  information  can  be  submitted  by  different  parties  in  an  electronic  business  value  chain 
enabled  by  the  present  invention.  These  parties  create  control  information  sets  through  the  use  of  their  respective  VDE 
installations.  Independently,  securely  deliverable,  component  based  control  information  allows  efficient  interaction 
among  control  information  sets  supplied  by  different  parties. 

VDE  permits  multiple,  separate  electronic  arrangements  to  be  formed  between  subsets  of  parties  in  a  VDE  supported 
electronic  value  chain  model.  These  multiple  agreements  together  comprise  a  VDE  value  chain  "extended"  agreement. 
VDE  allows  such  constituent  electronic  agreements,  and  therefore  overall  VDE  extended  agreements,  to  evolve  and 
reshape  over  time  as  additional  VDE  participants  become  involved  in  VDE  content  and/or  appliance  control 
information  handling.  VDE  electronic  agreements  may  also  be  extended  as  new  control  information  is  submitted  by 
existing  participants.  With  VDE,  electronic  commerce  participants  are  free  to  structure  and  restructure  their  electronic 
commerce  business  activities  and  relationships.  As  a  result,  the  present  invention  allows  a  competitive  electronic 
commerce  marketplace  to  develop  since  the  use  of  VDE  enables  different,  widely  varying  business  models  using  the 
same  or  shared  content. 

A  significant  facet  of  the  present  invention's  ability  to  broadly  support  electronic  commerce  is  its  ability  to  securely 
manage  independently  delivered  VDE  component  objects,  containing  control  information  (normally  in  the  form  of 
VDE  objects  containing  one  or  more  methods,  data,  or  load  module  VDE  components).  This  independently  delivered 
control  information  can  be  integrated  with  senior  and  other  pre-existing  content  control  information  to  securely  form 
derived  control  information  using  the  negotiation  mechanisms  of  the  present  invention.  All  requirements  specified  by 
this  derived  control  information  must  be  satisfied  before  VDE  controlled  content  can  be  accessed  or  otherwise  used. 
This  means  that,  for  example,  all  load  modules  and  any  mediating  data  which  are  listed  by  the  derived  control 
information  as  required  must  be  available  and  securely  perform  their  required  function.  In  combination  with  other 
aspects  of  the  present  invention,  securely,  independently  delivered  control  components  allow  electronic  commerce 
participants  to  freely  stipulate  their  business  requirements  and  trade  offs.  As  a  result,  much  as  with  traditional,  non¬ 
electronic  commerce,  the  present  invention  allows  electronic  commerce  (through  a  progressive  stipulation  of  various 
control  requirements  by  VDE  participants)  to  evolve  into  forms  of  business  that  are  the  most  efficient,  competitive  and 
useful. 

VDE  provides  capabilities  that  rationalize  the  support  of  electronic  commerce  and  electronic  transaction  management. 
This  rationalization  stems  from  the  reusability  of  control  structures  and  user  interfaces  for  a  wide  variety  of  transaction 
management  related  activities.  As  a  result,  content  usage  control,  data  security,  information  auditing,  and  electronic 
financial  activities,  can  be  supported  with  tools  that  are  reusable,  convenient,  consistent,  and  familiar.  In  addition,  a 
rational  approach— a  transaction/distribution  control  standard— allows  all  participants  in  VDE  the  same  foundation  set 
of  hardware  control  and  security,  authoring,  administration,  and  management  tools  to  support  widely  varying  types  of 
information,  business  market  model,  and/or  personal  objectives. 

Employing  VDE  as  a  general  purpose  electronic  transaction/distribution  control  system  allows  users  to  maintain  a 
single  transaction  management  control  arrangement  on  each  of  their  computers,  networks,  communication  nodes, 
and/or  other  electronic  appliances.  Such  a  general  purpose  system  can  serve  the  needs  of  many  electronic  transaction 
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management  applications  without  requiring  distinct,  different  installations  for  different  purposes.  As  a  result,  users  of 
VDE  can  avoid  the  confusion  and  expense  and  other  inefficiencies  of  different,  limited  purpose  transaction  control 
applications  for  each  different  content  and/or  business  model.  For  example,  VDE  allows  content  creators  to  use  the 
same  VDE  foundation  control  arrangement  for  both  content  authoring  and  for  licensing  content  from  other  content 
creators  for  inclusion  into  their  products  or  for  other  use.  Clearinghouses,  distributors,  content  creators,  and  other  VDE 
users  can  all  interact,  both  with  the  applications  running  on  their  VDE  installations,  and  with  each  other,  in  an  entirely 
consistent  manner,  using  and  reusing  (largely  transparently)  the  same  distributed  tools,  mechanisms,  and  consistent 
user  interfaces,  regardless  of  the  type  of  VDE  activity. 

VDE  prevents  many  forms  of  unauthorized  use  of  electronic  information,  by  controlling  and  auditing  (and  other 
administration  of  use)  electronically  stored  and/or  disseminated  information.  This  includes,  for  example,  commercially 
distributed  content,  electronic  currency,  electronic  credit,  business  transactions  (such  as  EDI),  confidential 
communications,  and  the  like.  VDE  can  further  be  used  to  enable  commercially  provided  electronic  content  to  be  made 
available  to  users  in  user  defined  portions,  rather  than  constraining  the  user  to  use  portions  of  content  that  were 
"predetermined"  by  a  content  creator  and/or  other  provider  for  billing  purposes. 

VDE,  for  example,  can  employ: 

(1)  Secure  metering  means  for  budgeting  and/or  auditing  electronic  content  and/or  appliance  usage; 

(2)  Secure  flexible  means  for  enabling  compensation  and/or  billing  rates  for  content  and/or  appliance  usage,  including 
electronic  credit  and/or  currency  mechanisms  for  payment  means; 

(3)  Secure  distributed  database  means  for  storing  control  and  usage  related  information  (and  employing  validated 
compartmentalization  and  tagging  schemes); 

(4)  Secure  electronic  appliance  control  means; 

(5)  A  distributed,  secure,  "virtual  black  box"  comprised  of  nodes  located  at  every  user  (including  VDE  content 
container  creators,  other  content  providers,  client  users,  and  recipients  of  secure  VDE  content  usage  information)  site. 
The  nodes  of  said  virtual  black  box  normally  include  a  secure  subsystem  having  at  least  one  secure  hardware  element 
(a  semiconductor  element  or  other  hardware  module  for  securely  executing  VDE  control  processes),  said  secure 
subsystems  being  distributed  at  nodes  along  a  pathway  of  information  storage,  distribution,  payment,  usage,  and/or 
auditing.  In  some  embodiments,  the  functions  of  said  hardware  element,  for  certain  or  all  nodes,  may  be  performed  by 
software,  for  example,  in  host  processing  environments  of  electronic  appliances; 

(6)  Encryption  and  decryption  means; 

(7)  Secure  communications  means  employing  authentication,  digital  signaturing,  and  encrypted  transmissions.  The 
secure  subsystems  at  said  user  nodes  utilize  a  protocol  that  establishes  and  authenticates  each  node's  and/or 
participant's  identity,  and  establishes  one  or  more  secure  host-to-host  encryption  keys  for  communications  between  the 
secure  subsystems;  and 

(8)  Secure  control  means  that  can  allow  each  VDE  installation  to  perform  VDE  content  authoring  (placing  content  into 
VDE  containers  with  associated  control  information),  content  distribution,  and  content  usage;  as  well  as  clearinghouse 
and  other  administrative  and  analysis  activities  employing  content  usage  information. 

VDE  may  be  used  to  migrate  most  non- electronic,  traditional  information  delivery  models  (including  entertainment, 
reference  materials,  catalog  shopping,  etc.)  into  an  adequately  secure  digital  distribution  and  usage  management  and 
payment  context.  The  distribution  and  financial  pathways  managed  by  a  VDE  arrangement  may  include: 
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content  creator(s), 
distributor(s), 
redistributor(s), 
client  administrator(s), 
client  user(s), 

financial  and/or  other  clearinghouse(s), 
and/or  government  agencies. 

These  distribution  and  financial  pathways  may  also  include: 
advertisers, 

market  survey  organizations,  and/or 

other  parties  interested  in  the  user  usage  of  information  securely  delivered  and/or  stored  using  VDE. 

Normally,  participants  in  a  VDE  arrangement  will  employ  the  same  secure  VDE  foundation.  Alternate  embodiments 
support  VDE  arrangements  employing  differing  VDE  foundations.  Such  alternate  embodiments  may  employ 
procedures  to  ensure  certain  interoperability  requirements  are  met. 

Secure  VDE  hardware  (also  known  as  SPUs  for  Secure  Processing  Units),  or  VDE  installations  that  use  software  to 
substitute  for,  or  complement,  said  hardware  (provided  by  Host  Processing  Environments  (HPEs)),  operate  in 
conjunction  with  secure  communications,  systems  integration  software,  and  distributed  software  control  information 
and  support  structures,  to  achieve  the  electronic  contract/rights  protection  environment  of  the  present  invention. 
Together,  these  VDE  components  comprise  a  secure,  virtual,  distributed  content  and/or  appliance  control,  auditing 
(and  other  administration),  reporting,  and  payment  environment.  In  some  embodiments  and  where  commercially 
acceptable,  certain  VDE  participants,  such  as  clearinghouses  that  normally  maintain  sufficiently  physically  secure  non- 
VDE  processing  environments,  may  be  allowed  to  employ  HPEs  rather  VDE  hardware  elements  and  interoperate,  for 
example,  with  VDE  end-users  and  content  providers.  VDE  components  together  comprise  a  configurable,  consistent, 
secure  and  "trusted"  architecture  for  distributed,  asynchronous  control  of  electronic  content  and/or  appliance  usage. 
VDE  supports  a  "universe  wide"  environment  for  electronic  content  delivery,  broad  dissemination,  usage  reporting, 
and  usage  related  payment  activities. 

VDE  provides  generalized  configurability.  This  results,  in  part,  from  decomposition  of  generalized  requirements  for 
supporting  electronic  commerce  and  data  security  into  a  broad  range  of  constituent  "atomic"  and  higher  level 
components  (such  as  load  modules,  data  elements,  and  methods)  that  may  be  variously  aggregated  together  to  form 
control  methods  for  electronic  commerce  applications,  commercial  electronic  agreements,  and  data  security 
arrangements.  VDE  provides  a  secure  operating  environment  employing  VDE  foundation  elements  along  with  secure 
independently  deliverable  VDE  components  that  enable  electronic  commerce  models  and  relationships  to  develop. 
VDE  specifically  supports  the  unfolding  of  distribution  models  in  which  content  providers,  over  time,  can  expressly 
agree  to,  or  allow,  subsequent  content  providers  and/or  users  participate  in  shaping  the  control  information  for,  and 
consequences  of,  use  of  electronic  content  and/or  appliances.  A  very  broad  range  of  the  functional  attributes  important 
for  supporting  simple  to  very  complex  electronic  commerce  and  data  security  activities  are  supported  by  capabilities  of 
the  present  invention.  As  a  result,  VDE  supports  most  types  of  electronic  information  and/or  appliance:  usage  control 
(including  distribution),  security,  usage  auditing,  reporting,  other  administration,  and  payment  arrangements. 


Page  31  of  54 


VDE,  in  its  preferred  embodiment,  employs  object  software  technology  and  uses  object  technology  to  form 
"containers"  for  delivery  of  information  that  is  (at  least  in  part)  encrypted  or  otherwise  secured.  These  containers  may 
contain  electronic  content  products  or  other  electronic  information  and  some  or  all  of  their  associated  permissions 
(control)  information.  These  container  objects  may  be  distributed  along  pathways  involving  content  providers  and/or 
content  users.  They  may  be  securely  moved  among  nodes  of  a  Virtual  Distribution  Environment  (VDE)  arrangement, 
which  nodes  operate  VDE  foundation  software  and  execute  control  methods  to  enact  electronic  information  usage 
control  and/or  administration  models.  The  containers  delivered  through  use  of  the  preferred  embodiment  of  the  present 
invention  may  be  employed  both  for  distributing  VDE  control  instructions  (information)  and/or  to  encapsulate  and 
electronically  distribute  content  that  has  been  at  least  partially  secured. 

Content  providers  who  employ  the  present  invention  may  include,  for  example,  software  application  and,  game 
publishers,  database  publishers,  cable,  vision,  and  radio  broadcasters,  electronic  shopping  vendors,  and  distributors  of 
information  in  electronic  document,  book  periodical,  e-mail  and/or  other  forms.  Corporations,  government  agencies, 
and/or  individual  "end-users"  who  act  as  storers  of,  and/or  distributors  of,  electronic  information,  may  also  be  VDE 
content  providers  (in  a  restricted  model,  a  user  provides  content  only  to  himself  and  employs  VDE  to  secure  his  own 
confidential  information  against  unauthorized  use  by  other  parties).  Electronic  information  may  include  proprietary 
and/or  confidential  information  for  personal  or  internal  organization  use,  as  well  as  information,  such  as  software 
applications,  documents,  entertainment  materials,  and/or  reference  information,  which  may  be  provided  to  other 
parties.  Distribution  may  be  by,  for  example,  physical  media  delivery;  broadcast  and/or  telecommunication  means,  and 
in  the  form  of  "static"  files  and/or  streams  of  data.  VDE  may  also  be  used,  for  example,  for  multi-site  "real-time" 
interaction  such  as  teleconferencing,  interactive  games,  or  on-line  bulletin  boards,  where  restrictions  on,  and/or 
auditing  of,  the  use  of  all  or  portions  of  communicated  information  is  enforced. 

VDE  provides  important  mechanisms  for  both  enforcing  commercial  agreements  and  enabling  the  protection  of 
privacy  rights.  VDE  can  securely  deliver  information  from  one  party  to  another  concerning  the  use  of  commercially 
distributed  electronic  content.  Even  if  parties  are  separated  by  several  "steps"  in  a  chain  (pathway)  of  handling  for  such 
content-usage  information,  such  information  is  protected  by  VDE  through  encryption  and/or  other  secure  processing. 
Because  of  that  protection,  the  accuracy  of  such  information  is  guaranteed  by  VDE,  and  the  information  can  be  trusted 
by  all  parties  to  whom  it  is  delivered.  Furthermore,  VDE  guarantees  that  all  parties  can  trust  that  such  information 
cannot  be  received  by  anyone  other  than  the  intended,  authorized,  party(ies)  because  it  is  encrypted  such  that  only  an 
authorized  party,  or  her  agents,  can  decrypt  it.  Such  information  may  also  be  derived  through  a  secure  VDE  process  at 
a  previous  pathway- of-handling  location  to  produce  secure  VDE  reporting  information  that  is  then  communicated 
securely  to  its  intended  recipient's  VDE  secure  subsystem.  Because  VDE  can  deliver  such  information  securely, 
parties  to  an  electronic  agreement  need  not  trust  the  accuracy  of  commercial  usage  and/or  other  information  delivered 
through  means  other  than  those  under  control  of  VDE. 

VDE  participants  in  a  commercial  value  chain  can  be  "commercially"  confident  (that  is,  sufficiently  confident  for 
commercial  purposes)  that  the  direct  (constituent)  and/or  "extended"  electronic  agreements  they  entered  into  through 
the  use  of  VDE  can  be  enforced  reliably.  These  agreements  may  have  both  "dynamic"  transaction  management  related 
aspects,  such  as  content  usage  control  information  enforced  through  budgeting,  metering,  and/or  reporting  of 
electronic  information  and/or  appliance  use,  and/or  they  may  include  "static"  electronic  assertions,  such  as  an  end-user 
using  the  system  to  assert  his  or  her  agreement  to  pay  for  services,  not  to  pass  to  unauthorized  parties  electronic 
information  derived  from  usage  of  content  or  systems,  and/or  agreeing  to  observe  copyright  laws.  Not  only  can 
electronically  reported  transaction  related  information  be  trusted  under  the  present  invention,  but  payment  may  be 
automated  by  the  passing  of  payment  tokens  through  a  pathway  of  payment  (which  may  or  may  not  be  the  same  as  a 
pathway  for  reporting).  Such  payment  can  be  contained  within  a  VDE  container  created  automatically  by  a  VDE 
installation  in  response  to  control  information  (located,  in  the  preferred  embodiment,  in  one  or  more  permissions 
records)  stipulating  the  "withdrawal"  of  credit  or  electronic  currency  (such  as  tokens)  from  an  electronic  account  (for 
example,  an  account  securely  maintained  by  a  user's  VDE  installation  secure  subsystem)  based  upon  usage  of  VDE 
controlled  electronic  content  and/or  appliances  (such  as  governments,  financial  credit  providers,  and  users). 
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VDE  allows  the  needs  of  electronic  commerce  participants  to  be  served  and  it  can  bind  such  participants  together  in  a 
universe  wide,  trusted  commercial  network  that  can  be  secure  enough  to  support  very  large  amounts  of  commerce. 
VDE's  security  and  metering  secure  subsystem  core  will  be  present  at  all  physical  locations  where  VDE  related 
content  is  (a)  assigned  usage  related  control  information  (rules  and  mediating  data),  and/or  (b)  used.  This  core  can 
perform  security  and  auditing  functions  (including  metering)  that  operate  within  a  "virtual  black  box,"  a  collection  of 
distributed,  very  secure  VDE  related  hardware  instances  that  are  interconnected  by  secured  information  exchange  (for 
example,  telecommunication)  processes  and  distributed  database  means.  VDE  further  includes  highly  configurable 
transaction  operating  system  technology,  one  or  more  associated  libraries  of  load  modules  along  with  affiliated  data, 
VDE  related  administration,  data  preparation,  and  analysis  applications,  as  well  as  system  software  designed  to  enable 
VDE  integration  into  host  environments  and  applications.  VDE's  usage  control  information,  for  example,  provide  for 
property  content  and/or  appliance  related:  usage  authorization,  usage  auditing  (which  may  include  audit  reduction), 
usage  billing,  usage  payment,  privacy  filtering,  reporting,  and  security  related  communication  and  encryption 
techniques. 

VDE  extensively  employs  methods  in  the  form  of  software  objects  to  augment  configurability,  portability,  and  security 
of  the  VDE  environment.  It  also  employs  a  software  object  architecture  for  VDE  content  containers  that  carries 
protected  content  and  may  also  carry  both  freely  available  information  (e.g,  summary,  table  of  contents)  and  secured 
content  control  information  which  ensures  the  performance  of  control  information.  Content  control  information 
governs  content  usage  according  to  criteria  set  by  holders  of  rights  to  an  object's  contents  and/or  according  to  parties 
who  otherwise  have  rights  associated  with  distributing  such  content  (such  as  governments,  financial  credit  providers, 
and  users). 

In  part,  security  is  enhanced  by  object  methods  employed  by  the  present  invention  because  the  encryption  schemes 
used  to  protect  an  object  can  efficiently  be  further  used  to  protect  the  associated  content  control  information  (software 
control  information  and  relevant  data)  from  modification.  Said  object  techniques  also  enhance  portability  between 
various  computer  and/or  other  appliance  environments  because  electronic  information  in  the  form  of  content  can  be 
inserted  along  with  (for  example,  in  the  same  object  container  as)  content  control  information  (for  said  content)  to 
produce  a  "published"  object.  As  a  result,  various  portions  of  said  control  information  may  be  specifically  adapted  for 
different  environment  such  as  for  diverse  computer  platforms  and  operating  systems,  and  said  various  portions  may  all 
be  carried  by  a  VDE  container. 

An  objective  of  VDE  is  supporting  a  transaction/distribution  control  standard.  Development  of  such  a  standard  has 
many  obstacles,  given  the  security  requirements  and  relates  hardware  and  communications  issues,  widely  differing 
environments,  information  types,  types  of  information  usage,  business  and/or  data  security  goals,  varieties  of 
participants,  and  properties  of  delivered  information.  A  significant  feature  of  VDE  accommodates  the  many,  varying 
distribution  and  other  transaction  variables  by,  in  part,  decomposing  electronic  commerce  and  data  security  functions 
into  generalized  capability  modules  executable  within  a  secure  hardware  SPU  and/or  corresponding  software 
subsystem  and  further  allowing  extensive  flexibility  in  assembling,  modifying,  and/or  replacing,  such  modules  (e.g. 
load  modules  and/or  methods)  in  applications  run  on  a  VDE  installation  foundation.  This  configurability  and 
reconfigurability  allows  electronic  commerce  and  data  security  participants  to  reflect  their  priorities  and  requirements 
through  a  process  of  iteratively  shaping  an  evolving  extended  electronic  agreement  (electronic  control  model).  This 
shaping  can  occur  as  content  control  information  passes  from  one  VDE  participant  to  another  and  to  the  extent  allowed 
by  "in  place"  content  control  information.  This  process  allows  users  of  VDE  to  recast  existing  control  information 
and/or  add  new  control  information  as  necessary  (including  the  elimination  of  no  longer  required  elements). 

VDE  supports  trusted  (sufficiently  secure)  electronic  information  distribution  and  usage  control  models  for  both 
commercial  electronic  content  distribution  and  data  security  applications.  It  can  be  configured  to  meet  the  diverse 
requirements  of  a  network  of  interrelated  participants  that  may  include  content  creators,  content  distributors,  client 
administrators,  end  users  and/or  clearinghouses  and/or  other  content  usage  information  users.  These  parties  may 
constitute  a  network  of  participants  involved  in  simple  to  complex  electronic  content  dissemination,  usage  control, 
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usage  reporting,  and/or  usage  payment.  Disseminated  content  may  include  both  originally  provided  and  VDE 
generated  information  (such  as  content  usage  information)  and  content  control  information  may  persist  through  both 
chains  (one  or  more  pathways)  of  content  and  content  control  information  handling,  as  well  as  the  direct  usage  of 
content.  The  configurability  provided  by  the  present  invention  is  particularly  critical  for  supporting  electronic 
commerce,  that  is  enabling  businesses  to  create  relationships  and  evolve  strategies  that  offer  competitive  value. 
Electronic  commerce  tools  that  are  not  inherently  configurable  and  interoperable  will  ultimately  fail  to  produce 
products  (and  services)  that  meet  both  basic  requirements  and  evolving  needs  of  most  commerce  applications. 

VDE's  fundamental  configurability  will  allow  a  broad  range  of  competitive  electronic  commerce  business  models  to 
flourish.  It  allows  business  models  to  be  shaped  to  maximize  revenues  sources,  end-user  product  value,  and  operating 
efficiencies.  VDE  can  be  employed  to  support  multiple,  differing  models,  take  advantage  of  new  revenue 
opportunities,  and  deliver  product  configurations  most  desired  by  users.  Electronic  commerce  technologies  that  do  not, 
as  the  present  invention  does: 

support  a  broad  range  of  possible,  complementary  revenue  activities, 

offer  a  flexible  array  of  content  usage  features  most  desired  by  customers,  and 

exploit  opportunities  for  operating  efficiencies,  will  result  in  products  that  are  often  intrinsically  more  costly  and  less 
appealing  and  therefore  less  competitive  in  the  marketplace. 

Some  of  the  key  factors  contributing  to  the  configurability  intrinsic  to  the  present  invention  include: 

(a)  integration  into  the  fundamental  control  environment  of  a  broad  range  of  electronic  appliances  through  portable 
API  and  programming  language  tools  that  efficiently  support  merging  of  control  and  auditing  capabilities  in  nearly  any 
electronic  appliance  environment  while  maintaining  overall  system  security; 

(b)  modular  data  structures; 

(c)  generic  content  model; 

(d)  general  modularity  and  independence  of  foundation  architectural  components; 

(e)  modular  security  structures; 

(f)  variable  length  and  multiple  branching  chains  of  control;  and 

(g)  independent,  modular  control  structures  in  the  form  of  executable  load  modules  that  can  be  maintained  in  one  or 
more  libraries,  and  assembled  into  control  methods  and  models,  and  where  such  model  control  schemes  can  "evolve" 
as  control  information  passes  through  the  VDE  installations  of  participants  of  a  pathway  of  VDE  content  control 
information  handling. 

Because  of  the  breadth  of  issues  resolved  by  the  present  invention,  it  can  provide  the  emerging  "electronic  highway" 
with  a  single  transaction/distribution  control  system  that  can,  for  a  very  broad  range  of  commercial  and  data  security 
models,  ensure  against  unauthorized  use  of  confidential  and/or  proprietary  information  and  commercial  electronic 
transactions.  VDE's  electronic  transaction  management  mechanisms  can  enforce  the  electronic  rights  and  agreements 
of  all  parties  participating  in  widely  varying  business  and  data  security  models,  and  this  can  be  efficiently  achieved 
through  a  single  VDE  implementation  within  each  VDE  participant's  electronic  appliance.  VDE  supports  widely 
varying  business  and/or  data  security  models  that  can  involve  a  broad  range  of  participants  at  various  "levels"  of  VDE 
content  and/or  content  control  information  pathways  of  handling.  Different  content  control  and/or  auditing  models  and 
agreements  may  be  available  on  the  same  VDE  installation.  These  models  and  agreements  may  control  content  in 
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relationship  to,  for  example,  VDE  installations  and/or  users  in  general;  certain  specific  users,  installations,  classes 
and/or  other  groupings  of  installations  and/or  users;  as  well  as  to  electronic  content  generally  on  a  given  installation,  to 
specific  properties,  property  portions,  classes  and/or  other  groupings  of  content. 

Distribution  using  VDE  may  package  both  the  electronic  content  and  control  information  into  the  fame  VDE 
container,  and/or  may  involve  the  delivery  to  an  end-user  site  of  different  pieces  of  the  same  VDE  managed  property 
from  plural  separate  remote  locations  and/or  in  plural  separate  VDE  content  containers  and/or  employing  plural 
different  delivery  means.  Content  control  information  may  be  partially  or  fully  delivered  separately  from  its  associated 
content  to  a  user  VDE  installation  in  one  or  more  VDE  administrative  objects.  Portions  of  said  control  information 
may  be  delivered  from  one  or  more  sources.  Control  information  may  also  be  available  for  use  by  access  from  a  user's 
VDE  installation  secure  sub-system  to  one  or  more  remote  VDE  secure  sub -systems  and/or  VDE  compatible,  certified 
secure  remote  locations.  VDE  control  processes  such  as  metering,  budgeting,  decrypting  and/or  fingerprinting,  may  as 
relates  to  a  certain  user  content  usage  activity,  be  performed  in  a  user's  local  VDE  installation  secure  subsystem,  or 
said  processes  may  be  divided  amongst  plural  secure  subsystems  which  may  be  located  in  the  same  user  VDE 
installations  and/or  in  a  network  server  and  in  the  user  installation.  For  example,  a  local  VDE  installation  may  perform 
decryption  and  save  any,  or  all  of,  usage  metering  information  related  to  content  and/or  electronic  appliance  usage  at 
such  user  installation  could  be  performed  at  the  server  employing  secure  (e.g.,  encrypted)  communications  between 
said  secure  subsystems.  Said  server  location  may  also  be  used  for  near  real  time,  frequent,  or  more  periodic  secure 
receipt  of  content  usage  information  from  said  user  installation,  with,  for  example,  metered  information  being 
maintained  only  temporarily  at  a  local  user  installation. 

Delivery  means  for  VDE  managed  contest  may  include  electronic  data  storage  means  such  as  optical  disks  for 
delivering  one  portion  of  said  information  and  broadcasting  and/or  telecommunicating  means  other  portions  of  said 
information.  Electronic  data  storage  means  may  include  magnetic  media,  optical  media,  combined  magneto- optical 
systems,  flash  RAM  memory,  bubble  memory,  and/or  other  memory  storage  means  such  as  huge  capacity  optical 
storage  systems  employing  holographic,  frequency,  and/or  polarity  data  storage  techniques.  Data  storage  means  may 
also  employ  layered  disc  techniques,  such  as  the  use  of  generally  transparent  and/or  translucent  materials  that  pass 
light  through  layers  of  data  carrying  discs  which  themselves  are  physically  packaged  together  as  one  thicker  disc.  Data 
carrying  locations  on  such  discs  may  be,  at  least  in  part,  opaque. 

VDE  supports  a  general  purpose  foundation  for  secure  transaction  management,  including  usage  control,  auditing, 
reporting,  and/or  payment.  This  general  purpose  foundation  is  called  "VDE  Functions"  ("VDEFs").  VDE  also  supports 
a  collection  of  "atomic"  application  elements  (e.g.,  load  modules)  that  can  be  selectively  aggregated  together  to  form 
various  VDEF  capabilities  called  control  methods  and  which  serve  as  VDEF  applications  and  operating  system 
functions.  When  a  host  operating  environment  of  an  electronic  appliance  includes  VDEF  capabilities,  it  is  called  a 
"Rights  Operating  System"  (ROS).  VDEF  load  modules,  associated  data,  and  methods  form  a  body  of  information  that 
for  the  purposes  of  the  present  invention  are  called  "control  information."  VDEF  control  information  may  be 
specifically  associated  with  one  or  more  pieces  of  electronic  content  and/or  it  may  be  employed  as  a  general 
component  of  the  operating  system  capabilities  of  a  VDE  installation. 

VDEF  transaction  control  elements  reflect  and  enact  content  specific  and/or  more  generalized  administrative  (for 
example,  general  operating  system)  control  information.  VDEF  capabilities  which  can  generally  take  the  form  of 
applications  (application  models)  that  have  more  or  less  configurability  which  can  be  shaped  by  VDE  participants, 
through  the  use,  for  example,  of  VDE  templates,  to  employ  specific  capabilities,  along,  for  example,  with  capability 
parameter  data  to  reflect  the  elements  of  one  or  more  express  electronic  agreements  between  VDE  participants  in 
regards  to  the  use  of  electronic  content  such  as  commercially  distributed  products.  These  control  capabilities  manage 
the  use  of,  and/or  auditing  of  use  of,  electronic  content,  as  well  as  reporting  information  based  upon  content  use,  and 
any  payment  for  said  use.  VDEF  capabilities  may  "evolve"  to  reflect  the  requirements  of  one  or  more  successive 
parties  who  receive  or  otherwise  contribute  to  a  given  set  of  control  information.  Frequently,  for  a  VDE  application  for 
a  given  content  model  (such  as  distribution  of  entertainment  on  CD-ROM,  content  delivery  from  an  Internet 
repository,  or  electronic  catalog  shopping  and  advertising,  or  some  combination  of  the  above)  participants  would  be 
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able  to  securely  select  from  amongst  available,  alternative  control  methods  and  apply  related  parameter  data,  wherein 
such  selection  of  control  method  and/or  submission  of  data  would  constitute  their  "contribution"  of  control 
information.  Alternatively,  or  in  addition,  certain  control  methods  that  have  been  expressly  certified  as  securely 
interoperable  and  compatible  with  said  application  may  be  independently  submitted  by  a  participant  as  part  of  such  a 
contribution.  In  the  most  general  example,  a  generally  certified  load  module  (certified  for  a  given  VDE  arrangement 
and/or  content  class)  may  be  used  with  many  or  any  VDE  application  that  operates  in  nodes  of  said  arrangement. 

These  parties,  to  thee  extent  they  are  allowed,  cad  independently  and  securely  add,  delete,  and/or  otherwise  modify  the 
specification  of  load  modules  and  methods,  as  well  as  add,  delete  or  otherwise  modify  related  information. 

Normally  the  party  who  creates  a  VDE  content  container  defines  the  general  nature  of  the  VDEF  capabilities  that  will 
and/or  may  apply  to  certain  electronic  information.  A  VDE  content  container  is  an  object  that  contains  both  content 
(for  example,  commercially  distributed  electronic  information  products  such  as  computer  software  programs,  movies, 
electronic  publications  or  reference  materials,  etc.)  and  certain  control  information  related  to  the  use  of  the  object's 
content.  A  creating  party  may  make  a  VDE  container  available  to  other  parties.  Control  information  delivered  by, 
and/or  otherwise  available  for  use  with,  VDE  content  containers  comprise  (for  commercial  content  distribution 
purposes)  VDEF  control  capabilities  (and  any  associated  parameter  data)  for  electronic  content.  These  capabilities  may 
constitute  one  or  more  "proposed"  electronic  agreements  (and/or  agreement  functions  available  for  selection  and/or 
use  with  parameter  data)  that  manage  the  use  and/or  the  consequences  of  use  of  such  content  and  which  can  enact  the 
terms  and  conditions  of  agreements  involving  multiple  parties  and  their  various  rights  and  obligations. 

A  VDE  electronic  agreement  may  be  expicit,  through  a  user  interface  acceptance  by  one  or  more  parties,  for  example 
by  a  "junior"  party  who  has  received  control  information  from  a  "senior"  party,  or  it  may  be  a  process/amongst  equal 
parties  who  individually  assert  their  agreement.  Agreement  may  also  result  from  an  automated  electronic  process 
during  which  terms  and  conditions  are  "evaluated"  by  certain  VDE  participant  control  information  that  assesses 
whether  certain  other  electronic  terms  and  conditions  attached  to  content  and/or  submitted  by  another  party  are 
acceptable  (do  not  violate  acceptable  control  information  criteria).  Such  an  evaluation  process  may  be  quite  simple,  for 
example  a  comparison  to  ensure  compatibility  between  a  portion  of,  or  all  senior,  control  terms  and  conditions  in  a 
table  of  terms  and  conditions  and  the  submitted  control  information  of  a  subsequent  participant  in  a  pathway  of  content 
control  information  handling,  or  it  may  be  a  more  elaborate  process  that  evaluates  the  potential  outcome  of,  and/or 
implements  a  negotiation  process  between,  two  or  more  sets  of  control  information  submitted  by  two  or  more  parties. 
VDE  also  accommodates  a  semi -automated  process  during  which  one  or  more  VDE  participants  directly,  through  user 
interface  means,  resolve  "disagreements"  between  control  information  sets  by  accepting  and/or  proposing  certain 
control  information  that  may  be  acceptable  to  control  information  representing  one  or  more  other  parties  interests 
and/or  responds  to  certain  user  interface  queries  for  selection  of  certain  alternative  choices  and/or  for  certain  parameter 
information,  the  responses  being  adopted  if  acceptable  to  applicable  senior  control  information. 

When  another  party  (other  than  the  first  applier  of  rules),  perhaps  through  a  negotiation  process,  accepts,  and/or  adds 
to  and/or  otherwise  modifies,  "in  place"  content  control  information,  a  VDE  agreement  between  two  or  more  parties 
related  to  the  use  of  such  electronic  content  may  be  created  (so  long  as  any  modifications  are  consistent  with  senior 
control  information).  Acceptance  of  terms  and  conditions  related  to  certain  electronic  content  may  be  direct  and 
express,  or  it  may  be  implicit  as  a  result  of  use  of  content  (depending,  for  example,  on  legal  requirements,  previous 
exposure  to  such  terms  and  conditions,  and  requirements  of  in  place  control  information). 

VDEF  capabilities  may  be  employed,  and  a  VDE  agreement  may  be  entered  into,  by  a  plurality  of  parties  without  the 
VDEF  capabilities  being  directly  associated  with  the  controlling  of  certain,  specific  electronic  information.  For 
example,  certain  one  or  more  VDEF  capabilities  may  be  present  at  a  VDE  installation,  and  certain  VDE  agreements 
may  have  been  entered  into  during  the  registration  process  for  a  content  distribution  application,  to  be  used  by  such 
installation  for  securely  controlling  VDE  content  usage,  auditing,  reporting  and/or  payment.  Similarly,  a  specific  VDE 
participant  may  enter  into  a  VDE  user  agreement  with  a  VDE  content  or  electronic  appliance  provider  when  the  user 
and/or  her  appliance  register  with  such  provider  as  a  VDE  installation  and/or  user.  In  such  events,  VDEF  in  place 
control  information  available  to  the  user  VDE  installation  may  require  that  certain  VDEF  methods  are  employed,  for 
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example  in  a  certain  sequence,  in  order  to  be  able  to  use  all  and/or  certain  classes,  of  electronic  content  and/or  VDE 
applications. 

VDE  ensures  that  certain  prerequisites  necessary  for  a  given  transaction  to  occur  are  met.  This  includes  the  secure 
execution  of  any  required  load  modules  and  the  availability  of  any  required,  associated  data.  For  example,  required 
load  modules  and  data  (e.g.  in  the  form  of  a  method)  might  specify  that  sufficient  credit  from  an  authorized  sours  must 
be  confirmed  as  available.  It  might  further  require  certain  one  or  more  load  modules  execute  as  processes  at  an 
appropriate  time  to  ensure  that  such  credit  will  be  used  in  order  to  pay  for  user  use  of  the  content.  A  certain  content 
provider  might,  for  example,  require  metering  the  number  of  copies  made  for  distribution  to  employees  of  a  given 
software  program  (a  portion  of  the  program  might  be  maintained  in  encrypted  form  and  require  the  presence  of  a  VDE 
installation  to  run).  This  would  require  the  execution  of  a  metering  method  for  copying  of  the  property  each  time  a 
copy  was  made  for  another  employee.  This  same  provider  might  also  charge  fees  based  on  the  total  number  of 
different  properties  licensed  from  them  by  the  user  and  a  metering  history  of  their  licensing  of  properties  might  be 
required  to  maintain  this  information. 

VDE  provides  organization,  community,  and/or  universe  wide  secure  environments  whose  integrity  is  assured  by 
processes  securely  controlled  in  VDE  participant  user  installations  (nodes).  VDE  installations,  in  the  preferred 
embodiment,  may  include  both  software  and  tamper  resistant  hardware  semiconductor  elements.  Such  a  semiconductoi 
arrangement  comprises,  at  least  in  part,  special  purpose  circuitry  that  has  been  designed  to  protect  against  tampering 
with,  or  unauthorized  observation  of,  the  information  and  functions  used  in  performing  the  VDE's  control  functions. 
The  special  purpose  secure  circuitry  provided  by  the  present  invention  includes  at  least  one  of:  a  dedicated 
semiconductor  arrangement  known  as  a  Secure  Processing  Unit  (SPU)  and/or  a  standard  microprocessor, 
microcontroller,  and/or  other  pressing  logic  that  accommodates  the  requirements  of  the  present  invention  and 
functions  as  an  SPU.  VDE's  secure  hardware  may  be  found  incorporated  into,  for  example,  a  fax/modem  chip  or  chip 
pack,  EO  controller,  video  display  controller,  and/or  other  available  digital  processing  arrangements.  It  is  anticipated 
that  portions  of  the  present  invention's  VDE  secure  hardware  capabilities  may  ultimately  be  standard  design  elements 
of  central  processing  units  (CPUs)  for  computers  and  various  other  electronic  devices. 

Designing  VDE  capabilities  into  one  or  more  standard  microprocessor,  microcontroller  and/or  other  digital  processing 
components  may  materially  reduce  VDE  related  hardware  costs  by  employing  the  same  hardware  resources  for  both 
the  transaction  management  uses  contemplated  by  the  present  invention  and  for  other,  host  electronic  appliance 
functions.  This  means  that  a  VDE  SPU  can  employ  (share)  circuitry  elements  of  a  "standard"  CPU.  For  example,  if  a 
"standard"  processor  can  operate  in  protected  mode  and  can  execute  VDE  related  instructions  as  a  protected  activity, 
then  such  an  embodiment  may  provide  sufficient  hardware  security  for  a  variety  of  applications  and  the  expense  of  a 
special  purpose  processor  might  be  avoided.  Under  one  preferred  embodiment  of  the  present  invention,  certain 
memory  (e.g.,  RAM,  ROM,  NVRAM)  is  maintained  during  VDE  related  instruction  processing  in  a  protected  mode 
(for  example,  as  supported  by  protected  mode  microprocessors).  This  memory  is  located  in  the  same  package  as  the 
processing  logic  (e.g.  processor).  Desirably,  the  packaging  and  memory  of  such  a  processor  would  be  designed  using 
security  techniques  that  enhance  its  resistance  to  tampering. 

The  degree  of  overall  security  of  the  VDE  system  is  primarily  dependent  on  the  degree  of  tamper  resistance  and 
concealment  of  VDE  control  process  execution  and  related  data  storage  activities.  Employing  special  purpose 
semiconductor  packaging  techniques  can  significantly  contribute  to  the  degree  of  security.  Concealment  and  tamper- 
resistance  in  semiconductor  memory  (e.g.,  RAM,  ROM,  NVRAM)  can  be  achieved,  in  part,  by  employing  such 
memory  within  an  SPU  package,  by  encrypting  data  before  it  is  sent  to  external  memory  (such  as  an  external  RAM 
package)  and  decrypting  encrypted  data  within  the  CPU/RAM  package  before  it  is  executed.  This  process  is  used  for 
important  VDE  related  data  when  such  data  is  stored  on  unprotected  media,  for  example,  standard  host  storage,  such 
as  random  access  memory,  mass  storage,  etc.  In  that  event,  a  VDE  SPU  would  encrypt  data  that  results  from  a  secure 
VDE  execution  before  such  data  was  stored  in  external  memory. 

Summary  of  Some  Important  Features  Provided  by  VDE  in  Accordance  with  the  Present  Invention 
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VDE  employs  a  variety  of  capabilities  that  serve  as  a  foundation  for  a  general  purpose,  sufficiently  secure  distributed 
electronic  commerce  solution.  VDE  enables  an  electronic  commerce  marketplace  that  supports  divergent,  competitive 
business  partnerships,  agreements,  and  evolving  overall  business  models.  For  example,  VDE  includes  features  that: 

"sufficiently"  impede  unauthorized  and/or  uncompensated  use  of  electronic  information  and/or  appliances  through  the 
use  of  secure  communication,  storage,  and  transaction  management  technologies.  VDE  supports  a  model  wide, 
distributed  security  implementation  which  creates  a  single  secure  "virtual"  transaction  processing  and  information 
storage  environment.  VDE  enables  distributed  VDE  installations  to  securely  store  and  communicate  information  and 
remotely  control  the  execution  processes  and  the  character  of  use  of  electronic  information  at  other  VDE  installations 
and  in  a  wide  variety  of  ways; 

support  low-cost,  efficient,  and  effective  security  architectures  for  transaction  control,  auditing,  reporting,  and  related 
communications  and  information  storage.  VDE  may  employ  tagging  related  security  techniques,  the  time -ageing  of 
encryption  keys,  the  compartmentalization  of  both  stored  control  information  (including  differentially  tagging  such 
stored  information  to  ensure  against  substitution  and  tampering)  and  distributed  content  (to,  for  many  content 
applications,  employ  one  or  more  content  encryption  keys  that  are  unique  to  the  specific  VDE  installation  and/or  user), 
private  key  techniques  such  as  triple  DES  to  encrypt  content,  public  key  techniques  such  as  RSA  to  protect 
communications  and  to  provide  the  benefits  of  digital  signature  and  authentication  to  securely  bind  together  the  nodes 
of  a  VDE  arrangement,  secure  processing  of  important  transaction  management  executable  code,  and  a  combining  of  a 
small  amount  of  highly  secure,  hardware  protected  storage  space  with  a  much  larger  "exposed"  mass  media  storage 
space  storing  secured  (normally  encrypted  and  tagged)  control  and  audit  information.  VDE  employs  special  purpose 
hardware  distributed  throughout  some  or  all  locations  of  a  VDE  implementation:  a)  said  hardware  controlling 
important  elements  of:  content  preparation  (such  as  causing  such  content  to  be  placed  in  a  VDE  content  container  and 
associating  content  control  information  with  said  content),  content  and/or  electronic  appliance  usage  auditing,  content 
usage  analysis,  as  well  as  content  usage  control;  and  b)  said  hardware  having  been  designed  to  securely  handle 
processing  load  module  control  activities,  wherein  said  control  processing  activities  may  involve  a  sequence  of 
required  control  factors; 

support  dynamic  user  selection  of  information  subsets  of  a  VDE  electronic  information  product  (VDE  controlled 
content).  This  contrasts  with  the  constraints  of  having  to  use  a  few  high  level  individual,  pre -defined  content  provider 
information  increments  such  as  being  required  to  select  a  whole  information  product  or  product  section  in  order  to 
acquire  or  otherwise  use  a  portion  of  such  product  or  section.  VDE  supports  metering  and  usage  control  over  a  variety 
of  increments  (including  "atomic"  increments,  and  combinations  of  different  increment  types)  that  are  selected  ad  hoc 
by  a  user  and  represent  a  collection  of  pre -identified  one  or  more  increments  (such  as  one  or  more  blocks  of  a 
preidentified  nature,  e.g.,  bytes,  images,  logically  related  blocks)  that  form  a  generally  arbitrary,  but  logical  to  a  user, 
content  "deliverable."  VDE  control  information  (including  budgeting,  pricing  and  metering)  can  be  configured  so  that 
it  can  specifically  apply,  as  appropriate,  to  ad  hoc  selection  of  different,  unanticipated  variable  user  selected 
aggregations  of  information  increments  and  pricing  levels  can  be,  at  least  in  part,  based  on  quantities  and/or  nature  of 
mixed  increment  selections  (for  example,  a  certain  quantity  of  certain  text  could  mean  associated  images  might  be 
discounted  by  15%;  a  greater  quantity  of  text  in  the  "mixed"  increment  selection  might  mean  the  images  are 
discounted  20%).  Such  user  selected  aggregated  information  increments  can  reflect  the  actual  requirements  of  a  user 
for  information  and  is  more  flexible  than  being  limited  to  a  single,  or  a  few,  high  level,  (e.g.  product,  document, 
database  record)  predetermined  increments.  Such  high  level  increments  may  include  quantities  of  information  not 
desired  by  the  user  and  as  a  result  be  more  costly  than  the  subset  of  information  needed  by  the  user  if  such  a  subset 
was  available.  In  sum,  the  present  invention  allows  information  contained  in  electronic  information  products  to  be 
supplied  according  to  user  specification.  Tailoring  to  user  specification  allows  the  present  invention  to  provide  the 
greatest  value  to  users,  which  in  turn  will  generate  the  greatest  amount  of  electronic  commerce  activity.  The  user,  for 
example,  would  be  able  to  define  an  aggregation  of  content  derived  from  various  portions  of  an  available  content 
product,  but  which,  as  a  deliverable  for  use  by  the  user,  is  an  entirely  unique  aggregated  increment.  The  user  may,  for 
example,  select  certain  numbers  of  bytes  of  information  from  various  portions  of  an  information  product,  such  as  a 
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reference  work,  and  copy  them  to  disc  in  unencrypted  form  and  be  billed  based  on  total  number  of  bytes  plus  a 
surcharge  on  the  number  of  "articles"  that  provided  the  bytes.  A  content  provider  might  reasonably  charge  less  for 
such  a  user  defined  information  increment  since  the  user  does  not  require  all  of  the  content  from  all  of  the  articles  that 
contained  desired  information.  This  process  of  defining  a  user  desired  information  increment  may  involve  artificial 
intelligence  database  search  tools  that  contribute  to  the  location  of  the  most  relevant  portions  of  information  from  an 
information  product  and  cause  the  automatic  display  to  the  user  of  information  describing  search  criteria  hits  for  user 
selection  or  the  automatic  extraction  and  delivery  of  such  portions  to  the  user.  VDE  further  supports  a  wide  variety  of 
predefined  increment  types  including: 

bytes, 

images, 

content  over  time  for  audio  or  video,  or  any  other  increment  that  can  be  identified  by  content  provider  data  mapping 
efforts,  such  as: 

sentences, 

paragraphs, 

articles, 

database  records,  and 

byte  offsets  representing  increments  of  logically  related  information. 

VDE  supports  as  many  simultaneous  predefined  increment  types  as  may  be  practical  for  a  given  type  of  content  and 
business  model. 

securely  store  at  a  user's  site  potentially  highly  detailed  information  reflective  of  a  user's  usage  of  a  variety  of  different 
content  segment  types  and  employing  both  inexpensive  "exposed"  host  mass  storage  for  maintaining  detailed 
information  in  the  form  of  encrypted  data  and  maintaining  summary  information  for  security  testing  in  highly  secure 
special  purpose  VDE  installation  nonvolatile  memory  (if  available). 

support  trusted  chain  of  handling  capabilities  for  pathways  of  distributed  electronic  information  and/or  for  content 
usage  related  information.  Such  chains  may  extend,  for  example,  from  a  content  creator,  to  a  distributor,  a 
redistributor,  a  client  user,  and  then  may  provide  a  pathway  for  securely  reporting  the  same  and/or  differing  usage 
information  to  one  or  more  auditors,  such  as  to  one  or  more  independent  clearinghouses  and  then  back  to  the  content 
providers,  including  content  creators.  The  same  and/or  different  pathways  employed  for  certain  content  handling,  and 
related  content  control  information  and  reporting  information  handling,  may  also  be  employed  as  one  or  more 
pathways  for  electronic  payment  handling  (payment  is  characterized  in  the  present  invention  as  administrative  content) 
for  electronic  content  and/or  appliance  usage.  These  pathways  are  used  for  conveyance  of  all  or  portions  of  content, 
and/or  content  related  control  information.  Content  creators  and  other  providers  can  specify  the  pathways  that, 
partially  or  fully,  must  be  used  to  disseminate  commercially  distributed  property  content,  content  control  information, 
payment  administrative  content,  and/or  associated  usage  reporting  information.  Control  information  specified  by 
content  providers  may  also  specify  which  specific  parties  must  or  may  (including,  for  example,  a  group  of  eligible 
parties  from  which  a  selection  may  be  made)  handle  conveyed  information.  It  may  also  specify  what  transmission 
means  (for  example  telecommunication  carriers  or  media  types)  and  transmission  hubs  must  or  may  be  used. 

support  flexible  auditing  mechanisms,  such  as  employing  "bitmap  meters,"  that  achieve  a  high  degree  of  efficiency  of 
operation  and  throughput  and  allow,  in  a  practical  manner,  the  retention  and  ready  recall  of  information  related  to 
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previous  usage  activities  and  related  patterns.  This  flexibility  is  adaptable  to  a  wide  variety  of  billing  and  security 
control  strategies  such  as: 

upgrade  pricing  (e.g.  suite  purchases), 

pricing  discounts  (including  quantity  discounts), 

billing  related  time  duration  variables  such  as  discounting  new  purchases  based  on  the  timing  of  past  purchases,  and 

security  budgets  based  on  quantity  of  different,  logically  related  units  of  electronic  information  used  over  an  interval 
of  time. 

Use  of  bitmap  meters  (including  "regular"  and  "wide"  bitmap  meters)  to  record  usage  and/or  purchase  of  information, 
in  conjunction  with  other  elements  of  the  preferred  embodiment  of  the  present  invention,  uniquely  supports  efficient 
maintenance  of  usage  history  for:  (a)  rental,  (b)  flat  fee  licensing  or  purchase,  (c)  licensing  or  purchase  discounts  based 
upon  historical  usage  variables,  and  (d)  reporting  to  users  in  a  manner  enabling  users  to  determine  whether  a  certain 
item  was  acquired,  or  acquired  within  a  certain  time  period  (without  requiring  the  use  of  conventional  database 
mechanisms,  which  are  highly  inefficient  for  these  applications).  Bitmap  meter  methods  record  activities  associated 
with  electronic  appliances,  properties,  objects,  or  portions  thereof  and/or  administrative  activities  that  are  independent 
of  specific  properties,  objects,  etc.,  performed  by  a  user  and/or  electronic  appliance  such  that  a  content  and/or 
appliance  provider  and/or  controller  of  an  administrative  activity  can  determine  whether  a  certain  activity  has  occurred 
at  some  point,  or  during  a  certain  period,  in  the  past  (for  example,  certain  use  of  a  commercial  electronic  content 
product  and/or  appliance).  Such  determinations  can  then  be  used  as  part  of  pricing  and/or  control  strategies  of  a 
content  and/or  appliance  provider,  and/or  controller  of  an  administrative  activity.  For  example,  the  content  provider 
may  choose  to  charge  only  once  for  access  to  a  portion  of  a  property,  regardless  of  the  number  of  times  that  portion  of 
the  property  is  accessed  by  a  user. 

support  "launchable"  content,  that  is  content  that  can  be  provided  by  a  content  provider  to  an  end-user,  who  can  then 
copy  or  pass  along  the  content  to  other  end-user  parties  without  requiring  the  direct  participation  of  a  content  provider 
to  register  and/or  otherwise  initialize  the  content  for  use.  This  content  goes  "out  of  (the  traditional  distribution) 
channel"  in  the  form  of  a  "traveling  object."  Traveling  objects  are  containers  that  securely  carry  at  least  some 
permissions  information  and/or  methods  that  are  required  for  their  use  (such  methods  need  not  be  carried  by  traveling 
objects  if  the  required  methods  will  be  available  at,  or  directly  available  to,  a  destination  VDE  installation).  Certain 
travelling  objects  may  be  used  at  some  or  all  VDE  installations  of  a  given  VDE  arrangement  since  they  can  make 
available  the  content  control  information  necessary  for  content  use  without  requiring  the  involvement  of  a  commercial 
VDE  value  chain  participant  or  data  security  administrator  (e.g.  a  control  officer  or  network  administrator).  As  long  as 
traveling  object  control  information  requirements  are  available  at  the  user  VDE  installation,  secure  subsystem  (such  as 
the  presence  of  a  sufficient  quantity  of  financial  credit  from  an  authorized  credit  provider),  at  least  some  travelling 
object  content  may  be  used  by  a  receiving  party  without  the  need  to  establish  a  connection  with  a  remote  VDE 
authority  (until,  for  example,  budgets  are  exhausted  or  a  time  content  usage  reporting  interval  has  occurred).  Traveling 
objects  can  travel  "out-of -channel,"  allowing,  for  example,  a  user  to  give  a  copy  of  a  traveling  object  whose  content  is 
a  software  program,  a  movie  or  a  game,  to  a  neighbor,  the  neighbor  being  able  to  use  the  traveling  object  if  appropriate 
credit  (e.g.  an  electronic  clearinghouse  account  from  a  clearinghouse  such  as  VISA  or  AT&T)  is  available.  Similarly, 
electronic  information  that  is  generally  available  on  an  Internet,  or  a  similar  network,  repository  might  be  provided  in 
the  form  of  a  traveling  object  that  can  be  downloaded  and  subsequently  copied  by  the  initial  downloader  and  then 
passed  along  to  other  parties  who  may  pass  the  object  on  to  additional  parties. 

provide  very  flexible  and  extensible  user  identification  according  to  individuals,  installations,  by  groups  such  as 
classes,  and  by  function  and  hierarchical  identification  employing  a  hierarchy  of  levels  of  client  identification  (for 
example,  client  organization  ID,  client  department  ID,  client  network  ID,  client  project  ID,  and  client  employee  ID,  or 
any  appropriate  subset  of  the  above). 
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provide  a  general  purpose,  secure,  component  based  content  control  and  distribution  system  that  functions  as  a 
foundation  transaction  operating  system  environment  that  employs  executable  code  pieces  crafted  for  transaction 
control  and  auditing.  These  code  pieces  can  be  reused  to  optimize  efficiency  in  creation  and  operation  of  trusted, 
distributed  transaction  management  arrangements.  VDE  supports  providing  such  executable  code  in  the  form  of 
"atomic"  load  modules  and  associated  data.  Many  such  load  modules  are  inherently  configurable,  aggregatable, 
portable,  and  extensible  and  singularly,  or  in  combination  (along  with  associated  data),  run  as  control  methods  under 
the  VDE  transaction  operating  environment.  VDE  can  satisfy  the  requirements  of  widely  differing  electronic 
commerce  and  data  security  applications  by,  in  part,  employing  this  general  purpose  transaction  management 
foundation  to  securely  process  VDE  transaction  related  control  methods.  Control  methods  are  created  primarily 
through  the  use  of  one  or  more  of  said  executable,  reusable  load  module  code  pieces  (normally  in  the  form  of 
executable  object  components)  and  associated  data.  The  component  nature  of  control  methods  allows  the  present 
invention  to  efficiently  operate  as  a  highly  configurable  content  control,  system.  Under  the  present  invention,  content 
control  models  can  be  iteratively  and  asynchronously  shaped,  and  otherwise  updated  to  accommodate  the  needs  of 
VDE  participants  to  the  extent  that  such  shaping  and  otherwise  updating  conforms  to  contraints  applied  by  a  VDE 
application,  if  any  (e.g.,  whether  new  component  assemblies  are  accepted  and,  if  so,  what  certification  requirements 
exist  for  such  component  assemblies  or  whether  any  or  certain  participants  may  shape  any  or  certain  control 
information  by  selection  amongst  optional  control  information  (permissions  record)  control  methods.  This  iterative  (or 
concurrent)  multiple  participant  process  occurs  as  a  result  of  the  submission  and  use  of  secure,  control  information 
components  (executable  code  such  as  load  modules  and/or  methods,  and/or  associated  data).  These  components  may 
be  contributed  independently  by  secure  communication  between  each  control  information  influencing  VDE 
participant's  VDE  installation  and  may  require  certification  for  use  with  a  given  application,  where  such  certification 
was  provided  by  a  certification  service  manager  for  the  VDE  arrangement  who  ensures  secure  interoperability  and/or 
reliability  (e.g.,  bug  control  resulting  from  interaction)  between  appliances  and  submitted  control  methods.  The 
transaction  management  control  functions  of  a  VDE  electronic  appliance  transaction  operating  environment  interact 
with  non- secure  transaction  management  operating  system  functions  to  properly  direct  transaction  processes  and  data 
related  to  electronic  information  security,  usage  control,  auditing,  and  usage  reporting.  VDE  provides  the  capability  to 
manages  resources  related  to  secure  VDE  content  and/or  appliance  control  information  execution  and  data  storage. 

facilitate  creation  of  application  and/or  system  functionality  under  VDE  and  to  facilitate  integration  into  electronic 
appliance  environments  of  load  modules  and  methods  created  under  the  present  invention.  To  achieve  this,  VDE 
employs  an  Application  Programmer's  Interface  (API)  and/or  a  transaction  operating  system  (such  as  a  ROS) 
programming  language  with  incorporated  functions,  both  of  which  support  the  use  of  capabilities  and  can  be  used  to 
efficiently  and  tightly  integrate  VDE  functionality  into  commercial  and  user  applications. 

support  user  interaction  through:  (a)  "Pop-Up"  applications  which,  for  example,  provide  messages  to  users  and  enable 
users  to  take  specific  actions  such  as  approving  a  transaction,  (b)  stand-alone  VDE  applications  that  provide 
administrative  environments  for  user  activities  such  as:  end-user  preference  specifications  for  limiting  the  price  per 
transaction,  unit  of  time,  and/or  session,  for  accessing  history  information  concerning  previous  transactions,  for 
reviewing  financial  information  such  as  budgets,  expenditures  (e.g.  detailed  and/or  summary)  and  usage  analysis 
information,  and  (c)  VDE  aware  applications  which,  as  a  result  of  the  use  of  a  VDE  API  and/or  a  transaction 
management  (for  example,  ROS  based)  programming  language  embeds  VDE  "awareness"  into  commercial  or  internal 
software  (application  programs,  games,  etc.)  so  that  VDE  user  control  information  and  services  are  seamlessly 
integrated  into  such  software  and  can  be  directly  accessed  by  a  user  since  the  underlying  functionality  has  been 
integrated  into  the  commercial  software's  native  design.  For  example,  in  a  VDE  aware  word  processor  application,  a 
user  may  be  able  to  "print"  a  document  into  a  VDE  content  container  object,  applying  specific  control  information  by 
selecting  from  amongst  a  series  of  different  menu  templates  for  different  purposes  (for  example,  a  confidential  memo 
template  for  internal  organization  purposes  may  restrict  the  ability  to  "keep,"  that  is  to  make  an  electronic  copy  of  the 
memo). 

employ  "templates"  to  ease  the  process  of  configuring  capabilities  of  the  present  invention  as  they  relate  to  specific 
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industries  or  businesses.  Templates  are  applications  or  application  add-ons  under  the  present  invention.  Templates 
support  the  efficient  specification  and/or  manipulation  of  criteria  related  to  specific  content  types,  distribution 
approaches,  pricing  mechanisms,  user  interactions  with  content  and/or  administrative  activities,  and/or  the  like.  Given 
the  very  large  range  of  capabilities  and  configurations  supported  by  the  present  invention,  reducing  the  range  of 
configuration  opportunities  to  a  manageable  subset  particularly  appropriate  for  a  given  business  model  allows  the  full 
configurable  power  of  the  present  invention  to  be  easily  employed  by  "typical"  users  who  would  be  otherwise 
burdened  with  complex  programming  and/or  configuration  design  responsibilities  template  applications  can  also  help 
ensure  that  VDE  related  processes  are  secure  and  optimally  bug  free  by  reducing  the  risks  associated  with  the 
contribution  of  independently  developed  load  modules,  including  unpredictable  aspects  of  code  interaction  between 
independent  modules  and  applications,  as  well  as  security  risks  associated  with  possible  presence  of  viruses  in  such 
modules.  VDE,  through  the  use  of  templates,  reduces  typical  user  configuration  responsibilities  to  an  appropriately 
focused  set  of  activities  including  selection  of  method  types  (e.g.  functionality)  through  menu  choices  such  as  multiple 
choice,  icon  selection,  and/or  prompting  for  method  parameter  data  (such  as  identification  information,  prices,  budget 
limits,  dates,  periods  of  time,  access  rights  to  specific  content,  etc.)  that  supply  appropriate  and/or  necessary  data  for 
control  information  purposes.  By  limiting  the  typical  (non -programming)  user  to  a  limited  subset  of  configuration 
activities  whose  general  configuration  environment  (template)  has  been  preset  to  reflect  general  requirements 
corresponding -to  that  user,  or  a  content  or  other  business  model  can  very  substantially  limit  difficulties  associated  with 
content  containerization  (including  placing  initial  control  information  on  content),  distribution,  client  administration, 
electronic  agreement  implementation,  end-user  interaction,  and  clearinghouse  activities,  including  associated 
interoperability  problems  (such  as  conflicts  resulting  from  security,  operating  system,  and/or  certification 
incompatibilities).  Use  of  appropriate  VDE  templates  can  assure  users  that  their  activities  related  to  content  VDE 
containerization,  contribution  of  other  control  information,  communications,  encryption  techniques  and/or  keys,  etc. 
will  be  in  compliance  with  specifications  for  their  distributed  VDE  arrangement.  VDE  templates  constitute  preset 
configurations  that  can  normally  be  reconfigurable  to  allow  for  new  and/or  modified  templates  that  reflect  adaptation 
into  new  industries  as  they  evolve  or  to  reflect  the  evolution  or  other  change  of  an  existing  industry.  For  example,  the 
template  concept  may  be  used  to  provide  individual,  overall  frameworks  for  organizations  and  individuals  that  create, 
modify,  market,  distribute,  consume,  and/or  otherwise  use  movies,  audio  recordings  and  live  performances, 
magazines,  telephony  based  retail  sales,  catalogs,  computer  software,  information  data  bases,  multimedia,  commercial 
communications,  advertisements,  market  surveys,  infomercials,  games,  CAD/CAM  services  for  numerically  controlled 
machines,  and  the  like.  As  the  context  surrounding  these  templates  changes  or  evolves,  template  applications  provided 
under  the  present  invention  may  be  modified  to  meet  these  changes  for  broad  use,  or  for  more  focused  activities.  A 
given  VDE  participant  may  have  a  plurality  of  templates  available  for  different  tasks.  A  party  that  places  content  in  its 
initial  VDE  container  may  have  a  variety  of  different,  configurable  templates  depending  on  the  type  of  content  and/or 
business  model  related  to  the  content.  An  end-user  may  have  different  configurable  templates  that  can  be  applied  to 
different  document  types  (e-mail,  secure  internal  documents,  database  records,  etc.)  and/or  subsets  of  users  (applying 
differing  general  sets  of  control  information  to  different  bodies  of  users,  for  example,  selecting  a  list  of  users  who  may, 
under  certain  preset  criteria,  use  a  certain  document).  Of  course,  templates  may,  under  certain  circumstances  have 
fixed  control  information  and  not  provide  for  user  selections  or  parameter  data  entry. 

support  plural,  different  control  models  regulating  the  use  and/or  auditing  of  either  the  same  specific  copy  of  electronic 
information  content  and/or  differently  regulating  different  copies  (occurrences)  of  the  same  electronic  information 
content.  Differing  models  for  billing,  auditing,  and  security  can  be  applied  to  the  same  piece  of  electronic  information 
content  and  such  differing  sets  of  control  information  may  employ,  for  control  purposes,  the  same,  or  differing, 
granularities  of  electronic  information  control  increments.  This  includes  supporting  variable  control  information  for 
budgeting  and  auditing  usage  as  applied  to  a  variety  of  predefined  increments  of  electronic  information,  including 
employing  a  variety  of  different  budgets  and/or  metering  increments  for  a  given  electronic  information  deliverable  for: 
billing  units  of  measure,  credit  limit,  security  budget  limit  and  security  content  metering  increments,  and/or  market 
surveying  and  customer  profiling  content  metering  increments.  For  example,  a  CD-ROM  disk  with  a  database  of 
scientific  articles  might  be  in  part  billed  according  to  a  formula  based  on  the  number  of  bytes  decrypted,  number  of 
articles  containing  said  bytes  decrypted,  while  a  security  budget  might  limit  the  use  of  said  database  to  no  more  than 
5%  of  the  database  per  month  for  users  on  the  wide  area  network  it  is  installed  on. 
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provide  mechanisms  to  persistently  maintain  trusted  content  usage  and  reporting  control  information  through  both  a 
sufficiently  secure  chain  of  handling  of  content  and  content  control  information  and  through  various  forms  of  usage  of 
such  content  wherein  said  persistence  of  control  may  survive  such  use.  Persistence  of  control  includes  the  ability  to 
extract  information  from  a  VDE  container  object  by  creating  a  new  container  whose  contents  are  at  least  in  part 
secured  and  that  contains  both  the  extracted  content  and  at  least  a  portion  of  the  control  information  which  control 
information  of  the  original  container  and/or  are  at  least  in  part  produced  by  control  information  of  the  original 
container  for  this  purpose  and/or  VDE  installation  control  information  stipulates  should  persist  and/or  control  usage  of 
content  in  the  newly  formed  container.  Such  control  information  can  continue  to  manage  usage  of  container  content  if 
the  container  is  "embedded"  into  another  VDE  managed  object,  such  as  an  object  which  contains  plural  embedded 
VDE  containers,  each  of  which  contains  content  derived  (extracted)  from  a  different  source. 

enables  users,  other  value  chain  participants  (such  as  clearinghouses  and  government  agencies),  and/or  user 
organizations,  to  specify  preferences  or  requirements  related  to  their  use  of  electronic  content  and/or  appliances. 
Content  users,  such  as  end-user  customers  using  commercially  distributed  content  (games,  information  resources, 
software  programs,  etc.),  can  define,  if  allowed  by  senior  control  information,  budgets,  and/or  other  control 
information,  to  manage  their  own  internal  use  of  content.  Uses  include,  for  example,  a  user  setting  a  limit  on  the  price 
for  electronic  documents  that  the  user  is  willing  to  pay  without  prior  express  user  authorization,  and  the  user 
establishing  the  character  of  metering  information  he  or  she  is  willing  to  allow  to  be  collected  (privacy  protection). 

This  includes  providing  the  means  for  content  users  to  protect  the  privacy  of  information  derived  from  their  use  of  a 
VDE  installation  and  content  and/or  appliance  usage  auditing.  In  particular,  VDE  can  prevent  information  related  to  a 
participant's  usage  of  electronic  content  from  being  provided  to  other  parties  without  the  participant's  tacit  or  explicit 
agreement. 

provide  mechanisms  that  allow  control  information  to  "evolve"  and  be  modified  according,  at  least  in  part,  to 
independently,  securely  delivered  further  control  information.  Said  control  information  may  include  executable  code 
(e.g.,  load  modules)  that  has  been  certified  as  acceptable  (e.g.,  reliable  and  trusted)  for  use  with  a  specific  VDE 
application,  class  of  applications,  and/or  a  VDE  distributed  arrangement.  This  modification  (evolution)  of  control 
information  can  occur  upon  content  control  information  (load  modules  and  any  associated  data)  circulating  to  one  or 
more  VDE  participants  in  a  pathway  of  handling  of  control  information,  or  it  may  occur  upon  control  information 
being  received  from  a  VDE  participant.  Handlers  in  a  pathway  of  handling  of  content  control  information,  to  the  extent 
each  is  authorized,  can  establish,  modify,  and/or  contribute  to,  permission,  auditing,  payment,  and  reporting  control 
information  related  to  controlling,  analyzing,  paying  for,  and/or  reporting  usage  of,  electronic  content  and/or 
appliances  (for  example,  as  related  to  usage  of  VDE  controlled  property  content).  Independently  delivered  (from  an 
independent  source  which  is  independent  except  in  regards  to  certification),  at  least  in  part  secure,  control  information 
can  be  employed  to  securely  modify  content  control  information  when  content  control  information  has  flowed  from 
one  party  to  another  party  in  a  sequence  of  VDE  content  control  information  handling.  This  modification  employs,  for 
example,  one  or  more  VDE  component  assemblies  being  securely  processed  in  a  VDE  secure  subsystem.  In  an 
alternate  embodiment,  control  information  may  be  modified  by  a  senior  party  through  use  of  their  VDE  installation 
secure  sub-system  after  receiving  submitted,  at  least  in  part  secured,  control  information  from  a  "junior"  party, 
normally  in  the  form  of  a  VDE  administrative  object.  Control  information  passing  along  VDE  pathways  can  represent 
a  mixed  control  set,  in  that  it  may  include:  control  information  that  persisted  through  a  sequence  of  control  information 
handlers,  other  control  information  that  was  allowed  to  be  modified,  and  further  control  information  representing  new 
control  information  and/or  mediating  data.  Such  a  control  set  represents  an  evolution  of  control  information  for 
disseminated  content.  In  this  example  the  overall  content  control  set  for  a  VDE  content  container  is  "evolving"  as  it 
securely  (e.g.  communicated  in  encrypted  form  and  using  authentication  and  digital  signaturing  techniques)  passes,  at 
least  in  part,  to  a  new  participant's  VDE  installation  where  the  proposed  control  information  is  securely  received  and 
handled.  The  received  control  information  may  be  integrated  (through  use  of  the  receiving  parties'  VDE  installation 
secure  sub-system)  with  in-place  control  information  through  a  negotiation  process  involving  both  control  information 
sets.  For  example,  the  modification,  within  the  secure  sub- system  of  a  content  provider's  VDE  installation,  of  content 
control  information  for  a  certain  VDE  content  container  may  have  occurred  as  a  result  of  the  incorporation  of  required 
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control  information  provided  by  a  financial  credit  provider.  Said  credit  provider  may  have  employed  their  VDE 
installation  to  prepare  and  securely  communicate  (directly  or  indirectly)  said  required  control  information  to  said 
content  provider.  Incorporating  said  required  control  information  enables  a  content  provider  to  allow  the  credit 
provider's  credit  to  be  employed  by  a  content  end-user  to  compensate  for  the  end-user's  use  of  VDE  controlled  content 
and/or  appliances,  so  long  as  said  end-user  has  a  credit  account  with  said  financial  credit  provider  and  said  credit 
account  has  sufficient  credit  available.  Similarly,  control  information  requiring  the  payment  of  taxes  and/or  the 
provision  of  revenue  information  resulting  from  electronic  commerce  activities  may  be  securely  received  by  a  content 
provider.  This  control  information  may  be  received,  for  example,  from  a  government  agency.  Content  providers  might 
be  required  by  law  to  incorporate  such  control  information  into  the  control  information  for  commercially  distributed 
content  and/or  services  related  to  appliance  usage.  Proposed  control  information  is  used  to  an  extent  allowed  by  senior 
control  information  and  as  determined  by  any  negotiation  trade-offs  that  satisfy  priorities  stipulated  by  each  set  (the 
received  set  and  the  proposed  set).  VDE  also  accommodates  different  control  schemes  specifically  applying  to 
different  participants  (e.g.,  individual  participants  and/or  participant  classes  (types  in  a  network  of  VDE  content 
handling  participants. 

support  multiple  simultaneous  control  models  for  the  same  content  property  and/or  property  portion.  This  allows,  for 
example,  for  concurrent  business  activities  which  are  dependent  on  electronic  commercial  product  content  distribution, 
such  as  acquiring  detailed  market  survey  information  and/or  supporting  advertising,  both  of  which  can  increase 
revenue  and  result  in  lower  content  costs  to  users  and  greater  value  to  content  providers.  Such  control  information 
and/or  overall  control  models  may  be  applied,  as  determined  or  allowed  by  control  information,  in  differing  manners 
to  different  participants  in  a  pathway  of  content,  reporting,  payment,  and/or  related  control  information  handling.  VDE 
supports  applying  different  content  control  information  to  the  same  and/or  different  content  and/or  appliance  usage 
related  activities,  and/or  to  different  parties  in  a  content  and/or  appliance  usage  model,  such  that  different  parties  (or 
classes  of  VDE  users,  for  example)  are  subject  to  differing  control  information  managing  their  use  of  electronic 
information  content.  For  example,  differing  control  models  based  on  the  category  of  a  user  as  a  distributor  of  a  VDE 
controlled  content  object  or  an  end-user  of  such  content  may  result  in  different  budgets  being  applied.  Alternatively, 
for  example,  a  one  distributor  may  have  the  right  to  distribute  a  different  array  of  properties  than  another  distributor 
(from  a  common  content  collection  provided,  for  example,  on  optical  disc).  An  individual,  and/or  a  class  or  other 
grouping  of  end-users,  may  have  different  costs  (for  example,  a  student,  senior  citizen,  and/or  poor  citizen  user  of 
content  who  may  be  provided  with  the  same  or  differing  discounts)  than  a  "typical"  content  user. 

support  provider  revenue  information  resulting  from  customer  use  of  content  and/or  appliances,  and/or  provider  and/or 
end-user  payment  of  taxes,  through  the  transfer  of  credit  and/or  electronic  currency  from  said  end-user  and/or  provider 
to  a  government  agency,  might  occur  "automatically"  as  a  result  of  such  received  control  information  causing  the 
generation  of  a  VDE  content  container  whose  content  includes  customer  content  usage  information  reflecting  secure, 
trusted  revenue  summary  information  and/or  detailed  user  transaction  listings  (level  of  detail  might  depend,  for 
example  on  type  or  size  of  transaction-information  regarding  a  bank  interest  payment  to  a  customer  or  a  transfer  of  a 
large  (e.g.  over  $10,000)  might  be,  by  law,  automatically  reported  to  the  government).  Such  summary  and/or  detailed 
information  related  to  taxable  events  and/or  currency,  and/or  creditor  currency  transfer,  may  be  passed  along  a 
pathway  of  reporting  and/or  payment  to  the  government  in  a  VDE  container,  Such  a  container  may  also  be  used  for 
other  VDE  related  content  usage  reporting  information. 

support  the  flowing  of  content  control  information  through  different  "branches"  of  content  control  information 
handling  so  as  to  accommodate,  under  the  present  invention's  preferred  embodiment,  diverse  controlled  distributions 
of  VDE  controlled  content.  This  allows  different  parties  to  employ  the  same  initial  electronic  content  with  differing 
(perhaps  competitive)  control  strategies.  In  this  instance,  a  party  who  first  placed  control  information  on  content  can 
make  certain  control  assumptions  and  these  assumptions  would  evolve  into  more  specific  and/or  extensive  control 
assumptions.  These  control  assumptions  can  evolve  during  the  branching  sequence  upon  content  model  participants 
submitting  control  information  changes,  for  example,  for  use  in  "negotiating"  with  "in  place"  content  control 
information.  This  can  result  in  new  or  modified  content  control  information  and/or  it  might  involve  the  selection  of 
certain  one  or  more  already  "in-place"  content  usage  control  methods  over  in-place  alternative  methods,  as  well  as  the 
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submission  of  relevant  control  information  parameter  data.  This  form  of  evolution  of  different  control  information  sets 
applied  to  different  copies  of  the  same  electronic  property  content  and/or  appliance  results  from  VDE  control 
information  flowing  "down"  through  different  branches  in  an  overall  pathway  of  handling  and  control  and  being 
modified  differently  as  it  diverges  down  these  different  pathway  branches.  This  ability  of  the  present  invention  to 
support  multiple  pathway  branches  for  the  flow  of  both  VDE  content  control  information  and  VDE  managed  content 
enables  an  electronic  commerce  marketplace  which  supports  diverging,  competitive  business  partnerships,  agreements, 
and  evolving  overall  business  models  which  can  employ  the  same  content  properties  combined,  for  example,  in 
differing  collections  of  content  representing  differing  at  least  in  part  competitive  products. 

enable  a  user  to  securely  extract,  through  the  use  of  the  secure  subsystem  at  the  user's  VDE  installation,  at  least  a 
portion  of  the  content  included  within  a  VDE  content  container  to  produce  a  new,  secure  object  (content  container), 
such  that  the  extracted  information  is  maintained  in  a  continually  secure  manner  through  the  extraction  process. 
Formation  of  the  new  VDE  container  containing  such  extracted  content  shall  result  in  control  information  consistent 
with,  or  specified  by,  the  source  VDE  content  container,  and/or  local  VDE  installation  secure  subsystem  as 
appropriate,  content  control  information.  Relevant  control  information,  such  as  security  and  administrative 
information,  derived;  at  least  in  part,  from  the  parent  (source)  object's  control  information,  will  normally  be 
automatically  inserted  into  a  new  VDE  content  container  object  containing  extracted  VDE  content.  This  process 
typically  occurs  under  the  control  framework  of  a  parent  object  and/or  VDE  installation  control  information  executing 
at  the  users  VDE  installation  secure  subsystem  (with,  for  example,  at  least  a  portion  of  this  inserted  control 
information  being  stored  securely  in  encrypted  form  in  one  or  more  permissions  records).  In  an  alternative 
embodiment,  the  derived  content  control  information  applied  to  extracted  content  may  be  in  part  or  whole  derived 
from,  or  employ,  content  control  information  stored  remotely  from  the  VDE  installation  that  performed  the  secure 
extraction  such  as  at  a  remote  server  location.  As  with  the  content  control  information  for  most  VDE  managed  content, 
features  of  the  present  invention  allows  the  content's  control  information  to: 

(a)  "evolve,"  for  example,  the  extractor  of  content  may  add  new  control  methods  and/or  modify  control  parameter 
data,  such  as  VDE  application  compliant  methods,  to  the  extent  allowed  by  the  content's  in-place  control  information. 
Such  new  control  information  might  specify,  for  example,  who  may  use  at  least  a  portion  of  the  new  object,  and/or 
how  said  at  least  a  portion  of  said  extracted  content  may  be  used  (e.g.  when  at  least  a  portion  may  be  used,  or  what 
portion  or  quantity  of  portions  may  be  used); 

(b)  allow  a  user  to  combine  additional  content  with  at  least  a  portion  of  said  extracted  content,  such  as  material 
authored  by  the  extractor  and/or  content  (for  example,  images,  video,  audio,  and/or  text)  extracted  from  one  or  more 
other  VDE  container  objects  for  placement  directly  into  the  new  container; 

(c)  allow  a  user  to  securely  edit  at  least  a  portion  of  said  content  while  maintaining  said  content  in  a  secure  form  within 
said  VDE  content  container; 

(d)  append  extracted  content  to  a  pre-existing  VDE  content  container  object  and  attach  associated  control  information- 
-in  these  cases,  user  added  information  may  be  secured,  e.g.,  encrypted,  in  part  or  as  a  whole,  and  may  be  subject  to 
usage  and/or  auditing  control  information  that  differs  from  the  those  applied  to  previously  in  place  object  content; 

(e)  preserve  VDE  control  over  one  or  more  portions  of  extracted  content  after  various  forms  of  usage  of  said  portions, 
for  example,  maintain  content  in  securely  stored  form  while  allowing  "temporary"  on  screen  display  of  content  or 
allowing  a  software  program  to  be  maintained  in  secure  form  but  transiently  decrypt  any  encrypted  executing  portion 
of  said  program  (all,  or  only  a  portion,  of  said  program  may  be  encrypted  to  secure  the  program). 

Generally,  the  extraction  features  of  the  present  invention  allow  users  to  aggregate  and/or  disseminate  and/or 
otherwise  use  protected  electronic  content  information  extracted  from  content  container  sources  while  maintaining 
secure  VDE  capabilities  thus  preserving  the  rights  of  providers  in  said  content  information  after  various  content  usage 
processes. 
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support  the  aggregation  of  portions  of  VDE  controlled  content,  such  portions  being  subject  to  differing  VDE  content 
container  control  information,  wherein  various  of  said  portions  may  have  been  provided  by  independent,  different 
content  providers  from  one  or  more  different  locations  remote  to  the  user  performing  the  aggregation.  Such 
aggregation,  in  the  preferred  embodiment  of  the  present  invention,  may  involve  preserving  at  least  a  portion  of  the 
control  information  (e.g.,  executable  code  such  as  load  modules)  for  each  of  various  of  said  portions  by,  for  example, 
embedding  some  or  all  of  such  portions  individually  as  VDE  content  container  objects  within  an  overall  VDE  content 
container  and/or  embedding  some  or  all  of  such  portions  directly  into  a  VDE  content  container.  In  the  latter  case, 
content  control  information  of  said  content  container  may  apply  differing  control  information  sets  to  various  of  such 
portions  based  upon  said  portions  original  control  information  requirements  before  aggregation.  Each  of  such 
embedded  VDE  content  container  may  have  its  own  control  information  in  the  form  of  one  or  more  permissions 
records.  Alternatively,  a  negotiation  between  control  information  associated  with  various  aggregated  portions  of 
electronic  content,  may  produce  a  control  information  set  that  would  govern  some  or  all  of  the  aggregated  content 
portions.  The  VDE  content  control  information  produced  by  the  negotiation  may  be  uniform  (such  as  having  the  same 
load  modules  and/or  component  assemblies,  and/or  it  may  apply  differing  such  content  control  information  to  two  or 
more  portions  that  constitute  an  aggregation  of  VDE  controlled  content  such  as  differing  metering,  budgeting,  billing 
and/or  payment  models.  For  example,  content  usage  payment  may  be  automatically  made,  either  through  a 
clearinghouse,  or  directly,  to  different  content  providers  for  different  potions. 

enable  flexible  metering  of,  or  other  collection  of  information  related  to,  use  of  electronic  content  and/or  electronic 
appliances.  A  feature  of  the  present  invention  enables  such  flexibility  of  metering  control  mechanisms  to 
accommodate  a  simultaneous,  broad  array  of:  (a)  different  parameters  related  to  electronic  information  content  use;  (b) 
different  increment  units  (bytes,  documents,  properties,  paragraphs,  images,  etc.)  and/or  other  organizations  of  such 
electronic  content;  and/or  (c)  different  categories  of  user  and/or  VDE  installation  types,  such  as  client  organizations, 
departments,  projects,  networks,  and/or  individual  users,  etc.  This  feature  of  the  present  invention  can  be  employed  for 
content  security,  usage  analysis  (for  example,  market  surveying),  and/or  compensation  based  upon  the  use  and/or 
exposure  to  VDE  managed  content.  Such  metering  is  a  flexible  basis  for  ensuring  payment  for  content  royalties, 
licensing,  purchasing,  and/or  advertising.  A  feature  of  the  present  invention  provides  for  payment  means  supporting 
flexible  electronic  currency  and  credit  mechanisms,  including  the  ability  to  securely  maintain  audit  trails  reflecting 
information  related  to  use  of  such  currency  or  credit.  VDE  supports  multiple  differing  hierarchies  of  client 
organization  control  information  wherein  an  organization  client  administrator  distributes  control  information 
specifying  the  usage  rights  of  departments,  users,  and/or  projects.  Likewise,  a  department  (division)  network  manager 
can  function  as  a  distributor  (budgets,  access  rights,  etc.)  for  department  networks,  projects,  and/or  users,  etc. 

provide  scalable,  integratable,  standardized  control  means  for  use  on  electronic  appliances  ranging  from  inexpensive 
consumer  (for  example,  television  set-top  appliances)  and  professional  devices  (and  hand-held  PDAs)  to  servers, 
mainframes,  communication  switches,  etc.  The  scalable  transaction  management/auditing  technology  of  the  present 
invention  will  result  in  more  efficient  and  reliable  interoperability  amongst  devices  functioning  in  electronic 
commerce  and/or  data  security  environments.  As  standardized  physical  containers  have  become  essential  to  the 
shipping  of  physical  goods  around  the/world,  allowing  these  physical  containers  to  universally  "fit"  unloading 
equipment,  efficiently  use  truck  and  train  space,  and  accommodate  known  arrays  of  objects  (for  example,  boxes)  in  an 
efficient  manner,  so  VDE  electronic  content  containers  may,  as  provided  by  the  present  invention,  be  able  to 
efficiently  move  electronic  information  content  (such  as  commercially  published  properties,  electronic  currency  and 
credit,  and  content  audit  information),  and  associated  content  control  information,  around  the  world  Interoperability  is 
fundamental  to  efficient  electronic  commerce.  The  design  of  the  VDE  foundation,  VDE  load  modules,  and  VDE 
containers,  are  important  features  that  enable  the  VDE  node  operating  environment  to  be  compatible  with  a  very  broad 
range  of  electronic  appliances.  The  ability,  for  example,  for  control  methods  based  on  load  modules  to  execute  in  very 
"small"  and  inexpensive  secure  sub-system  environments,  such  as  environments  with  very  little  read/write  memory, 
while  also  being  able  to  execute  in  large  memory  sub -systems  that  may  be  used  in  more  expensive  electronic 
appliances,  supports  consistency  across  many  machines.  This  consistent  VDE  operating  environment,  including  its 
control  structures  and  container  architecture,  enables  the  use  of  standardized  VDE  content  containers  across  a  broad 
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range  of  device  types  and  host  operating  environments.  Since  VDE  capabilities  can  be  seamlessly  integrated  as 
extentions,  additions,  and/or  modifications  to  fundamental  capabilities  of  electronic  appliances  and  host  operating 
systems,  VDE  containers,  content  control  information,  and  the  VDE  foundation  will  be  able  to  work  with  many  device 
types  and  these  device  types  will  be  able  to  consistently  and  efficiently  interpret  and  enforce  VDE  control  information. 
Through  this  integration  users  can  also  benefit  from  a  transparent  interaction  with  many  of  the  capabilities  of  VDE. 
VDE  integration  with  software  operating  on  a  host  electronic  appliance  supports  a  variety  of  capabilities  that  would  be 
unavailable  or  less  secure  without  such  integration.  Through  integration  with  one  or  more  device  applications  and/or 
device  operating  environments,  many  capabilities  of  the  present  invention  can  be  presented  as  inherent  capabilities  of  a 
given  electronic  appliance,  operating  system,  or  appliance  application.  For  example,  features  of  the  present  invention 
include:  (a)  VDE  system  software  to  in  part  extend  and/or  modify  host  operating  systems  such  that  they  possesses 
VDE  capabilities,  such  as  enabling  secure  transaction  processing  and  electronic  information  storage;  (b)  one  or  more 
application  programs  that  in  part  represent  tools  associated  with  VDE  operation;  and/or  (c)  code  to  be  integrated  into 
application  programs,  wherein  such  code  incorporates  references  into  VDE  system  software  to  integrate  VDE 
capabilities  and  makes  such  applications  VDE  aware  (for  example,  word  processors,  database  retrieval  applications, 
spreadsheets,  multimedia  presentation  authoring  tools,  film  editing  software,  music  editing  software  such  as  MIDI 
applications  and  the  like,  robotics  control  systems  such  as  those  associated  with  CAD/CAM  environments  and  NCM 
software  and  the  like,  electronic  mail  systems,  teleconferencing  software,  and  other  data  authoring,  creating,  handling, 
and/or  usage  applications  including  combinations  of  the  above).  These  one  or  more  features  (which  may  also  be 
implemented  in  firmware  or  hardware)  may  be  employed  in  conjunction  with  a  VDE  node  secure  hardware  processing 
capability,  such  as  a  microcontroller(s),  microprocessor(s),  other  CPU(s)  or  other  digital  processing  logic. 

employ  audit  reconciliation  and  usage  pattern  evaluation  processes  that  assess,  through  certain,  normally  network 
based,  transaction  processing  reconciliation  and  threshold  checking  activities,  whether  certain  violations  of  security  of 
a  VDE  arrangement  have  occurred.  These  processes  are  performed  remote  to  VDE  controlled  content  end-user  VDE 
locations  by  assessing,  for  example,  purchases,  and/or  requests,  for  electronic  properties  by  a  given  VDE  installation. 
Applications  for  such  reconciliation  activities  include  assessing  whether  the  quantity  of  remotely  delivered  VDE 
controlled  content  corresponds  to  the  amount  of  financial  credit  and/or  electronic  currency  employed  for  the  use  of 
such  content.  A  trusted  organization  can  acquire  information  from  content  providers  concerning  the  cost  for  content 
provided  to  a  given  VDE  installation  and/or  user  and  compare  this  cost  for  content  with  the  credit  and/or  electronic 
currency  disbursements  for  that  installation  and/or  user.  Inconsistencies  in  the  amount  of  content  delivered  versus  the 
amount  of  disbursement  can  prove,  and/or  indicate,  depending  on  the  circumstances,  whether  the  local  VDE 
installation  has  been,  at  least  to  some  degree,  compromised  (for  example,  certain  important  system  security  functions, 
such  as  breaking  encryption  for  at  least  some  portion  of  the  secure  subsystem  and/or  VDE  controlled  content  by 
uncovering  one  or  more  keys).  Determining  whether  irregular  patterns  (e.g.  unusually  high  demand)  of  content  usage, 
or  requests  for  delivery  of  certain  kinds  of  VDE  controlled  information  during  a  certain  time  period  by  one  or  more 
VDE  installations  and/or  users  (including,  for  example,  groups  of  related  users  whose  aggregate  pattern  of  usage  is 
suspicious)  may  also  be  useful  in  determining  whether  security  at  such  one  or  more  installations,  and/or  by  such  one  or 
more  users,  has  been  compromised,  particularly  when  used  in  combination  with  an  assessment  of  electronic  credit 
and/or  currency  provided  to  one  or  more  VDE  users  and/or  installations,  by  some  or  all  of  their  credit  and/or  currency 
suppliers,  compared  with  the  disbursements  made  by  such  users  and/or  installations. 

support  security  techniques  that  materially  increase  the  time  required  to  "break"  a  system's  integrity.  This  includes 
using  a  collection  of  techniques  that  minimizes  the  damage  resulting  from  comprising  some  aspect  of  the  security 
features  of  the  present  inventions. 

provide  a  family  of  authoring,  administrative,  reporting,  payment,  and  billing  tool  user  applications  that  comprise 
components  of  the  present  invention's  trusted/secure,  universe  wide,  distributed  transaction  control  and  administration 
system.  These  components  support  VDE  related:  object  creation  (including  placing  control  information  on  content), 
secure  object  distribution  and  management  (including  distribution  control  information,  financial  related,  and  other 
usage  analysis),  client  internal  VDE  activities  administration  and  control,  security  management,  user  interfaces, 
payment  disbursement,  and  clearinghouse  related  functions.  These  components  are  designed  to  support  highly  secure, 
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uniform,  consistent,  and  standardized:  electronic  commerce  and/or  data  security  pathway(s)  of  handling,  reporting, 
and/or  payment;  content  control  and  administration;  and  human  factors  (e.g.  user  interfaces). 

support  the  operation  of  a  plurality  of  clearinghouses,  including,  for  example,  both  financial  and  user  clearinghouse 
activities,  such  as  those  performed  by  a  client  administrator  in  a  large  organization  to  assist  in  the  organization's  use  of 
a  VDE  arrangement,  including  usage  information  analysis,  and  control  of  VDE  activities  by  individuals  and  groups  of 
employees  such  as  specifying  budgets  and  the  character  of  usage  rights  available  under  VDE  for  certain  groups  of 
and/or  individual,  client  personnel,  subject  to  control  information  series  to  control  information  submitted  by  the  client 
administrator.  At  a  clearinghouse,  one  or  more  VDE  installations  may  operate  together  with  a  trusted  distributed 
database  environment  (which  may  include  concurrent  database  processing  means).  A  financial  clearinghouse  normally 
receives  at  its  location  securely  delivered  content  usage  information,  and  user  requests  (such  as  requests  for  further 
credit,  electronic  currency,  and/or  higher  credit  limit).  Reporting  of  usage  information  and  user  requests  can  be  used 
for  supporting  electronic  currency,  billing,  payment  and  credit  related  activities,  and/or  for  user  profile  analysis  and/or 
broader  market  survey  analysis  and  marketing  (consolidated)  list  generation  or  other  information  derived,  at  least  in 
part,  from  said  usage  information,  this  information  can  be  provided  to  content  providers  or  other  parties,  through 
secure,  authenticated  encrypted  communication  to  the  VDE  installation  secure  subsystems.  Clearinghouse  processing 
means  would  normally  be  connected  to  specialized  I/O  means,  which  may  include  high  speed  telecommunication 
switching  means  that  may  be  used  for  secure  communications  between  a  clearinghouse  and  other  VDE  pathway 
participants. 

securely  support  electronic  currency  and  credit  usage  control,  storage,  and  communication  at,  and  between,  VDE 
installations.  VDE  further  supports  automated  passing  of  electronic  currency  and/or  credit  information,  including 
payment  tokens  (such  as  in  the  form  of  electronic  currency  or  credit)  or  other  payment  information,  through  a  pathway 
of  payment,  which  said  pathway  may  or  may  not  be  the  same  as  a  pathway  for  content  usage  information  reporting. 
Such  payment  may  be  placed  into  a  VDE  container  created  automatically  by  a  VDE  installation  in  response  to  control 
information  stipulating  the  "withdrawal"  of  credit  or  electronic  currency  from  an  electronic  credit  or  currency  account 
based  upon  an  amount  owed  resulting  from  usage  of  VDE  controlled  electronic  content  and/or  appliances.  Payment 
credit  or  currency  may  then  be  automatically  communicated  in  protected  (at  least  in  part  encrypted)  form  through 
telecommunication  of  a  VDE  container  to  an  appropriate  party  such  as  a  clearinghouse,  provider  of  original  property 
content  or  appliance,  or  an  agent  for  such  provider  (other  than  a  clearinghouse).  Payment  information  may  be 
packaged  in  said  VDE  content  container  with,  or  without,  related  content  usage  information,  such  as  metering 
information.  An  aspect  of  the  present  invention  further  enables  certain  information  regarding  currency  use  to  be 
specified  as  unavailable  to  certain,  some,  or  all  VDE  parties  ("conditionally"  to  fully  anonymous  currency)  and/or 
further  can  regulate  certain  content  information,  such  as  currency  and/r  credit  use  related  information  (and/or  other 
electronic  information  usage  data)  to  be  available  only  under  certain  strict  circumstances,  such  as  a  court  order  (which 
may  itself  require  authorization  through  the  use  of  a  court  controlled  VDE  installation  that  may  be  required  to  securely 
access  "conditionally"  anonymous  information).  Currency  and  credit  information,  under  the  preferred  embodiment  of 
the  present  invention,  is  treated  as  administrative  content; 

support  fingerprinting  (also  known  as  watermarking)  for  embedding  in  content  such  that  when  content  protected  under 
the  present  invention  is  released  in  clear  form  from  a  VDE  object  (displayed,  printed,  communicated,  extracted,  and/or 
saved),  information  representing  the  identification  of  the  user  and/or  VDE  installation  responsible  for  transforming  the 
content  into  clear  form  is  embedded  into  the  released  content.  Fingerprinting  is  useful  in  providing  an  ability  to 
identify  who  extracted  information  in  clear  form  a  VDE  container,  or  who  made  a  copy  of  a  VDE  object  or  a  portion 
of  its  contents.  Since  the  identity  of  the  user  and/or  other  identifying  information  may  be  embedded  in  an  obscure  or 
generally  concealed  manner,  in  VDE  container  content  and/or  control  information,  potential  copyright  violators  may 
be  deterred  from  unauthorized  extraction  or  copying.  Fingerprinting  normally  is  embedded  into  unencrypted  electronic 
content  or  control  information,  though  it  can  be  embedded  into  encrypted  content  and  later  place  in  unencrypted 
content  in  a  secure  VDE  installation  sub -system  as  the  encrypted  content  carrying  the  fingerprinting  information  is 
decrypted.  Electronic  information,  such  as  the  content  of  a  VDE  container,  may  be  fingerprinted  as  it  leaves  a  network 
(such  as  Internet)  location  bound  for  a  receiving  party.  Such  repository  information  may  be  maintained  in  unencrypted 
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form  prior  to  communication  and  be  encrypted  as  it  leaves  the  repository.  Fingerprinting  would  preferably  take  place 
as  the  content  leaves  the  repository,  but  before  the  encryption  step.  Encrypted  repository  content  can  be  decrypted,  for 
example  in  a  secure  VDE  sub-system,  fingerprint  information  can  be  inserted,  and  then  the  content  can  be  re -encrypted 
for  transmission.  Embedding  identification  information  of  the  intended  recipient  user  and/or  VDE  installation  into 
content  as  it  leaves,  for  example,  an  Internet  repository,  would  provide  important  information  that  would  identify  or 
assist  in  identifying  any  party  that  managed  to  compromise  the  security  of  a  VDE  installation  or  the  delivered  content. 
If  a  party  produces  an  authorized  clear  form  copy  of  VDE  controlled  content,  including  making  unauthorized  copies  of 
an  authorized  clear  form  copy,  fingerprint  information  would  point  back  to  that  individual  and/or  his  or  her  VDE 
installation.  Such  bidden  information  will  act  as  a  strong  disincentive  that  should  dissuade  a  substantial  portion  of 
potential  content  "pirates"  from  stealing  other  parties  electronic  information.  Fingerprint  inflation  identifying  a 
receiving  party  and/or  VDE  installation  can  be  embedded  into  a  VDE  object  before  or  during,  decryption,  replication, 
or  communication  of  VDE  content  objects  to  receivers.  Fingerprinting  electronic  content  before  it  is  encrypted  for 
transfer  to  a  customer  or  other  user  provides  information  that  can  be  very  useful  for  identifying  who  received  certain 
content  which  may  have  then  been  distributed  or  made  available  in  unencrypted  form.  This  information  would  be 
useful  in  tracking  who  may  have  "broken"  the  security  of  a  VDE  installation  and  was  illegally  making  certain 
electronic  content  available  to  others.  Fingerprinting  may  provide  additional,  available  information  such  as  time  and/or 
date  of  the  release  (for  example  extraction)  of  said  content  information.  Locations  for  inserting  fingerprints  may  be 
specified  by  VDE  installation  and/or  content  container  control  information.  This  information  may  specify  that  certain 
areas  and/or  precise  locations  within  properties  should  be  used  for  fingerprinting,  such  as  one  or  more  certain  fields  of 
information  or  information  types.  Fingerprinting  information  may  be  incorporated  into  a  property  by  modifying  in  a 
normally  undetectable  way  color  frequency  and/or  the  brightness  of  certain  image  pixels,  by  slightly  modifying  certain 
audio  signals  as  to  frequency,  by  modifying  font  character  formation,  etc.  Fingerprint  information,  itself,  should  be 
encrypted  so  as  to  make  it  particularly  difficult  for  tampered  fingerprints  to  be  interpreted  as  valid.  Variations  in 
fingerprint  locations  for  different  copies  of  the  same  property;  "false"  fingerprint  information;  and  multiple  copies  of 
fingerprint  information  within  a  specific  property  or  other  contents  which  copies  employ  different  fingerprinting 
techniques  such  as  information  distribution  patterns,  frequency  and/or  brightness  manipulation,  and  encryption  related 
techniques,  are  features  of  the  present  invention  for  increasing  the  difficulty  of  an  unauthorized  individual  identifying 
fingerprint  locations  and  erasing  and/or  modifying  fingerprint  information. 

provide  smart  object  agents  that  can  carry  requests,  data,  and/or  methods,  including  budgets,  authorizations,  credit  or 
currency,  and  content.  For  example,  smart  objects  may  travel  to  and/or  from  remote  information  resource  locations  and 
fulfill  requests  for  electronic  information  content.  Smart  objects  can,  for  example,  be  transmitted  to  a  remote  location 
to  perform  a  specified  database  search  on  behalf  of  a  user  or  otherwise  "intelligently"  search  remote  one  or  more 
repositories  of  information  for  user  desired  information.  After  identifying  desired  information  at  one  or  more  remote 
locations,  by  for  example,  performing  one  or  more  database  searches,  a  smart  object  may  return  via  communication  to 
the  user  in  the  form  of  a  secure  "return  object"  containing  retrieved  information.  A  user  may  be  charged  for  the  remote 
retrieving  of  information,  the  returning  of  information  to  the  user's  VDE  installation,  and/or  the  use  of  such 
information.  In  the  latter  case  a  user  may  be  charged  only  for  the  information  in  the  return  object  that  the  user  actually 
uses.  Smart  objects  may  have  the  means  to  request  use  of  one  of  more  services  and/or  resources.  Services  include 
locating  other  services  and/or  resources  such  as  information  resources,  language  or  format  translation,  processing, 
credit  (or  additional  credit)  authorization,  etc.  Resources  include  reference  databases,  networks,  high  powered  or 
specialized  computing  resources  (the  smart  object  may  carry  information  to  another  computer  to  be  efficiently 
processed  and  then  return  the  information  to  the  sending  VDE  installation),  remote  object  repositories,  etc.  Smart 
objects  can  make  efficient  use  of  remote  resources  (e.g.  centralized  databases,  super  computers,  etc.)  while  providing  a 
secure  means  for  charging  users  based  on  information  and/or  resources  actually  used. 

support  both  "translations"  of  VDE  electronic  agreements  elements  into  modern  language  printed  agreement  elements 
(such  as  English  language  agreements)  and  translations  of  electronic  rights  protection/transaction  management  modem 
language  agreement  elements  to  electronic  VDE  agreement  elements.  This  feature  requires  maintaining  a  library  of 
textual  language  that  corresponds  to  VDE  load  modules  and/or  methods  and/or  component  assemblies.  As  VDE 
methods  are  proposed  and/or  employed  for  VDE  agreements,  a  listing  of  textual  terms  and  conditions  can  be  produced 
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by  a  VDE  user  application  which,  in  a  preferred  embodiment,  provides  phrases,  sentences  and/or  paragraphs  that  have 
been  stored  and  correspond  to  said  methods  and/or  assemblies.  This  feature  preferably  employs  artificial  intelligence 
capabilities  to  analyze  and  automatically  determine,  and/or  assist  one  or  more  users  to  determine,  the  proper  order  and 
relationship  between  the  library  elements  corresponding  to,  the  chosen  methods  and/or  assemblies  so  as  to  compose 
some  or  all  portions  of  a  legal  or  descriptive  document.  One  or  more  users,  and/or  preferably  an  attorney  (if  the 
document  a  legal,  binding  agreement),  would  review  the  generated  document  material  upon  completion  and  employ 
such  additional  textual  information  and/or  editing  as  necessary  to  describe  non  electronic  transaction  elements  of  the 
agreement  and  make  any  other  improvements  that  may  be  necessary.  These  features  further  support  employing  modern 
language  tools  that  allow  one  or  more  users  to  make  selections  from  choices  and  provide  answers  to  questions  and  to 
produce  a  VDE  electronic  agreement  from  such  a  process.  This  process  can  be  interactive  and  the  VDE  agreement 
formulation  process  may  employ  artificial  intelligence  expert  system  technology  that  learns  from  responses  and,  where 
appropriate  and  based  at  least  in  part  on  said  responses,  provides  further  choices  and/or  questions  which  "evolves"  the 
desired  VDE  electronic  agreement. 

support  the  use  of  multiple  VDE  secure  subsystems  in  a  single  VDE  installation.  Various  security  and/or  performance 
advantages  may  be  realized  by  employing  a  distributed  VDE  design  within  a  single  VDE  installation.  For  example, 
designing  a  hardware  based  VDE  secure  subsystem  into  an  electronic  appliance  VDE  display  device,  and  designing 
said  subsystem's  integration  with  said  display  device  so  that  it  is  as  close  as  possible  to  the  point  of  display,  will 
increase  the  security  for  video  materials  by  making  it  materially  more  difficult  to  "steal"  decrypted  video  information 
as  it  moves  from  outside  to  inside  the  video  system.  Ideally,  for  example,  a  VDE  secure  hardware  module  would  be  in 
the  same  physical  package  as  the  actual  display  monitor,  such  as  within  the  packaging  of  a  video  monitor  or  other 
display  device,  and  such  device  would  be  designed,  to  the  extent  commercially  practical,  to  be  as  tamper  resistant  as 
reasonable.  As  another  example,  embedding  a  VDE  hardware  module  into  an  EO  peripheral  may  have  certain 
advantages  from  the  standpoint  of  overall  system  throughput.  If  multiple  VDE  instances  are  employed  within  the  same 
VDE  installation,  these  instances  will  ideally  share  resources  to  the  extent  practical,  such  as  VDE  instances  storing 
certain  control  information  and  content  and/or  appliance  usage  information  on  the  same  mass  storage  device  and  in  the 
same  VDE  management  database. 

requiring  reporting  and  payment  compliance  by  employing  exhaustion  of  budgets  and  time  ageing  of  keys.  For 
example,  a  VDE  commercial  arrangement  and  associated  content  control  information  may  involve  a  content  provider's 
content  and  the  use  of  clearinghouse  credit  for  payment  for  end-user  usage  of  said  content.  Control  information 
regarding  said  arrangement  may  be  delivered  to  a  user's  (of  said  content)  VDE  installation  and/or  said  financial 
clearinghouse's  VDE  installation.  Said  control  information  might  require  said  clearinghouse  to  prepare  and 
telecommunicate  to  said  content  provider  both  content  usage  based  information  in  a  certain  form,  and  content  usage 
payment  in  the  form  of  electronic  credit  (such  credit  might  be  "owned"  by  the  provider  after  receipt  and  used  in  lieu  of 
the  availability  or  adequacy  of  electronic  currency)  and/or  electronic  currency.  This  delivery  of  information  and 
payment  may  employ  trusted  VDE  installation  secure  subsystems  to  securely,  and  in  some  embodiments, 
automatically,  provide  in  the  manner  specified  by  said  control  information,  said  usage  information  and  payment 
content.  Features  of  the  present  invention  help  ensure  that  a  requirement  that  a  clearinghouse  report  such  usage 
information  and  payment  content  will  be  observed.  For  example,  if  one  participant  to  a  VDE  electronic  agreement  fails 
to  observe  such  information  reporting  and/or  paying  obligation,  another  participant  can  stop  the  delinquent  party  from 
successfully  participating  in  VDE  activities  related  to  such  agreement.  For  example  if  required  usage  information  and 
payment  was  not  reported  as  specified  by  content  control  information,  the  "injured"  party  can  fail  to  provide,  through 
failing  to  securely  communicate  from  his  VDE  installation  secure  subsystem,  one  or  more  pieces  of  secure  information 
necessary  for  the  continuance  of  one  or  more  critical  processes.  For  example,  failure  to  report  information  and/or 
payment  from  a  clearinghouse  to  a  content  provider  (as  well  as  any  security  failures  or  other  disturbing  irregularities) 
can  result  in  the  content  provider  not  providing  key  and/or  budget  refresh  information  to  the  clearinghouse,  which 
information  can  be  necessary  to  authorize  use  of  the  clearinghouse's  credit  for  usage  of  the  provider's  content  and 
which  the  clearinghouse  would  communicate  to  end-user's  during  a  content  usage  reporting  communication  between 
the  clearinghouse  and  end-user.  As  another  example,  a  distributor  that  failed  to  make  payments  and/or  report  usage 
information  to  a  content  provider  might  find  that  their  budget  for  creating  permissions  records  to  distribute  the  content 
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provider's  content  to  users,  and/or  a  security  budget  limiting  one  or  more  other  aspect  of  their  use  of  the  provider's 
content,  are  not  being  refreshed  by  the  content  provider,  once  exhausted  or  timed-out  (for  example,  at  a  predetermined 
date).  In  these  and  other  cases,  the  offended  party  might  decide  not  to  refresh  time  ageing  keys  that  had  "aged  out." 
Such  a  use  of  time  aged  keys  has  a  similar  impact  as  failing  to  refresh  budgets  or  time-aged  authorizations. 

support  smart  card  implementations  of  the  present  invention  in  the  form  of  portable  electronic  appliances,  including 
cards  that  can  be  employed  as  secure  credit,  banking,  and/or  money  cards.  A  feature  of  the  present  invention  is  the  use 
of  portable  VDEs  as  transaction  cards  at  retail  and  other  establishments,  wherein  such  cards  can  "dock"  with  an 
establishment  terminal  that  has  a  VDE  secure  sub -system  and/or  an  online  connection  to  a  VDE  secure  and/or 
otherwise  secure  and  compatible  subsystem,  such  as  a  "trusted"  financial  clearinghouse  (e.g.,  VISA,  Mastercard).  The 
VDE  card  and  the  terminal  (and/or  online  connection)  can  securely  exchange  information  related  to  a  transaction,  with 
credit  and/or  electronic  currency  being  transferred  to  a  merchant  and/or  clearinghouse  and  transaction  information 
flowing  back  to  the  card.  Such  a  card  can  be  used  for  transaction  activities  of  all  sorts.  A  docking  station,  such  as  a 
PCMCIA  connector  on  an  electronic  appliance,  such  as  a  personal  computer,  can  receive  a  consumer's  VDE  card  at 
home.  Such  a  station/card  combination  can  be  used  for  on-line  transactions  in  the  same  manner  as  a  VDE  installation 
that  is  permanently  installed  in  such  an  electronic  appliance.  The  card  can  be  used  as  an  "electronic  wallet"  and 
contain  electronic  currency  as  well  as  credit  provided  by  a  clearinghouse.  The  card  can  act  as  convergence  point  for 
financial  activities  of  a  consumer  regarding  many,  if  not  all,  merchant,  banking,  and  on-line  financial  transactions, 
including  supporting  home  banking  activities.  A  consumer  can  receive  his  paycheck  and/or  investment  earnings  and/or 
"authentic"  VDE  content  container  secured  detailed  information  on  such  receipts,  through  on-line  connections.  A  user 
can  send  digital  currency  to  another  party  with  a  VDE  arrangement,  including  giving  away  such  currency.  A  VDE  card 
can  retain  details  of  transactions  in  a  highly  secure  and  database  organized  fashion  so  that  financially  related 
information  is  both  consolidated  and  very  easily  retrieved  and/or  analyzed.  Because  of  the  VDE  security,  including  use 
of  effective  encryption,  authentication,  digital  signaturing,  and  secure  database  structures,  the  records  contained  within 
a  VDE  card  arrangement  may  be  accepted  as  valid  transaction  records  for  government  and/or  corporate  recordkeeping 
requirements.  In  some  embodiments  of  the  present  invention  a  VDE  card  may  employ  docking  station  and/or 
electronic  appliance  storage  means  and/or  share  other  VDE  arrangement  means  local  to  said  appliance  and/or  available 
across  a  network,  to  augment  the  information  storage  capacity  of  the  VDE  card,  by  for  example,  storing  dated,  and/or 
archived,  backup  information.  Taxes  relating  to  some  or  all  of  an  individual's  financial  activities  may  be  automatically 
computed  based  on  "authentic"  information  securely  stored  and  available  to  said  VDE  card.  Said  information  may  be 
stored  in  said  card,  in  said  docking  station,  in  an  associated  electronic  appliance,  and/or  other  device  operatively 
attached  thereto,  and/or  remotely,  such  as  at  a  remote  server  site.  A  card's  data,  e.g.  transaction  history,  can  be  backed 
up  to  an  individual's  personal  computer  or  other  electronic  appliance  and  such  an  appliance  may  have  an  integrated 
VDE  installation  of  its  own.  A  current  transaction,  recent  transactions  (for  redundancy),  or  all  or  other  selected  card 
data  may  be  backed  up  to  a  remote  backup  repository,  such  a  VDE  compatible  repository  at  a  financial  clearinghouse, 
during  each  or  periodic  docking  for  a  financial  transaction  and/or  information  communication  such  as  a  user/merchant 
transaction.  Backing  up  at  least  the  current  transaction  during  a  connection  with  another  party's  VDE  installation  (for 
example  a  VDE  installation  that  is  also  on  a  financial  or  general  purpose  electronic  network),  by  posting  transaction 
information  to  a  remote  clearinghouse  and/or  bank,  can  ensure  that  sufficient  backup  is  conducted  to  enable  complete 
reconstruction  of  VDE  card  internal  information  in  the  event  of  a  card  failure  or  loss. 

support  certification  processes  that  ensure  authorized  interoperability  between  various  VDE  installations  so  as  to 
prevent  VDE  arrangements  and/or  installations  that  unacceptably  deviate  in  specification  protocols  from  other  VDE 
arrangements  and/or  installations  from  interoperating  in  a  manner  that  may  introduce  security  (integrity  and/or 
confidentiality  of  VDE  secured  information),  process  control,  and/or  software  compatibility  problems.  Certification 
validates  the  identity  of  VDE  installations  and/or  their  components,  as  well  as  VDE  users.  Certification  data  can  also 
serve  as  information  that  contributes  to  determining  the  decommissioning  or  other  change  related  to  VDE  sites. 

support  the  separation  of  fundamental  transaction  control  processes  through  the  use  of  event  (triggered)  based  method 
control  mechanisms.  These  event  methods  trigger  one  or  more  other  VDE  methods  (which  are  available  to  a  secure 
VDE  sub-system)  and  are  used  to  carry  out  VDE  managed  transaction  related  processing.  These  triggered  methods 
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include  independently  (separably)  and  securely  processable  component  billing  management  methods,  budgeting 
management  methods,  metering  management  methods,  and  related  auditing  management  processes.  As  a  result  of  this 
feature  of  the  present  invention,  independent  triggering  of  metering,  auditing,  billing,  and  budgeting  methods,  the 
present  invention  is  able  to  efficiently,  concurrently  support  multiple  financial  currencies  (e.g.  dollars,  marks,  yen)  and 
content  related  budgets,  and/or  billing  increments  as  well  as  very  flexible  content  distribution  models. 

support,  complete,  modular  separation  of  the  control  structures  related  to  (1)  content  event  triggering,  (2)  auditing,  (3) 
budgeting  (including  specifying  no  right  of  use  or  unlimited  right  of  use)  (4)  billing,  and  (5)  user  identity  (VDE 
installation,  client  name,  department,  network,  and/or  user,  etc.).  The  independence  of  these  VDE  control  structures 
provides  a  flexible  system  which  allows  plural  relationships  between  two  or  more  of  these  structures,  for  example,  the 
ability  to  associate  a  financial  budget  with  different  event  trigger  structures  (that  are  put  in  place  to  enable  controlling 
content  based  on  its  logical  portions).  Without  such  separation  between  these  basic  VDE  capabilities,  it  would  be  more 
difficult  to  efficiently  maintain  separate  metering,  budgeting,  identification,  and/or  billing  activities  which  involve  the 
same,  differing  (including  overlapping),  or  entirely  different,  portions  of  content  for  metering,  billing,  budgeting,  and 
user  identification,  for  example,  paying  fees  associated  with  usage  of  content,  performing  home  banking,  managing 
advertising  services,  etc.  VDE  modular  separation  of  these  basic  capabilities  supports  the  programming  of  plural, 
"arbitrary"  relationships  between  one  or  differing  content  portions  (and/or  portion  units)  and  budgeting,  auditing, 
and/or  billing  control  information.  For  example,  under  VDE,  a  budget  limit  of  $200  dollars  or  300  German  Marks  a 
month  may  be  enforced  for  decryption  of  a  certain  database  and  2  U.S.  Dollars  or  3  German  Marks  may  be  charged  for 
each  record  of  said  database  decrypted  (depending  on  user  selected  currency).  Such  usage  can  be  metered  while  an 
additional  audit  for  user  profile  purposes  can  be  prepared  recording  the  identity  of  each  filed  displayed.  Additionally, 
further  metering  can  be  conducted  regarding  the  number  of  said  database  bytes  that  have  been  decrypted,  and  a  related 
security  budget  may  prevent  the  decrypting  of  more  than  5%  of  the  total  bytes  of  said  database  per  year.  The  user  may 
also,  under  VDE  (if  allowed  by  senior  control  information),  collect  audit  information  reflecting  usage  of  database 
fields  by  different  individuals  and  client  organization  departments  and  ensure  that  differing  rights  of  access  and 
differing  budgets  limiting  database  usage  can  be  applied  to  these  client  individuals  and  groups.  Enabling  content 
providers  and  users  to  practically  employ  such  diverse  sets  of  user  identification,  metering,  budgeting,  and  billing 
control  information  results,  in  part,  from  the  use  of  such  independent  control  capabilities.  As  a  result,  VDE  can  support 
great  configurability  in  creation  of  plural  control  models  applied  to  the  same  electronic  property  and  the  same  and/or 
plural  control  models  applied  to  differing  or  entirely  different  content  models  (for  example,  home  banking  versus 
electronic  shopping). 

Methods,  Other  Control  Information,  and  VDE  Objects 

VDE  control  information  (e.g.,  methods)  that  collectively  control  use  of  VDE  managed  properties  (database, 
document,  individual  commercial  product),  are  either  shipped  with  the  content  itself  (for  example,  in  a  content 
container)  and/or  one  or  more  portions  of  such  control  information  is  shipped  to  distributors  and/or  other  users  in 
separably  deliverable  "Administrative  objects."  A  subset  of  the  methods  for  a  property  may  in  part  be  delivered  with 
each  property  while  one  or  more  other  subsets  of  methods  can  be  delivered  separately  to  a  user  or  otherwise  made 
available  for  use  (such  as  being  available  remotely  by  telecommunication  means).  Required  methods  (methods  listed 
as  required  for  property  and/or  appliance  use)  must  be  available  as  specified  if  VDE  controlled  content  (such  as 
intellectual  property  distributed  within  a  VDE  content  container)  is  to  be  used.  Methods  that  control  content  may  apply 
to  a  plurality  of  VDE  container  objects,  such  as  a  class  or  other  grouping  of  such  objects.  Methods  may  also  be 
required  by  certain  users  or  classes  of  users  and/or  VDE  installations  and/or  classes  of  installations  for  such  parties  to 
use  one  or  more  specific,  or  classes  of,  objects. 

A  feature  of  VDE  provided  by  the  present  invention  is  that  certain  one  or  more  methods  can  be  specified  as  required  in 
order  for  a  VDE  installation  and/or  user  to  be  able  to  use  certain  and/or  all  content.  For  example,  a  distributor  of  a 
certain  type  of  content  might  be  allowed  by  "senior"  participants  (by  content  creators,  for  example)  to  require  a 
method  which  prohibits  end-users  from  electronically  saving  decrypted  content,  a  provider  of  credit  for  VDE 
transactions  might  require  an  audit  method  that  records  the  time  of  an  electronic  purchase,  and/or  a  user  might  require 
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a  method  that  summarizes  usage  information  for  reporting  to  a  clearinghouse  (e.g.  billing  information)  in  a  way  that 
does  not  convey  confidential,  personal  information  regarding  detailed  usage  behavior. 

A  further  feature  of  VDE  provided  by  the  present  invention  is  that  creators,  distributors,  and  users  of  content  can  select 
from  among  a  set  of  predefined  methods  (if  available)  to  control  container  content  usage  and  distribution  functions 
and/or  they  may  have  the  right  to  provide  new  customized  methods  to  control  at  least  certain  usage  functions  (such 
"new"  methods  may  be  required  to  be  certified  for  trustedness  and  interoperability  to  the  VDE  installation  and/or  for 
of  a  group  of  VDE  applications).  As  a  result,  VDE  provides  a  very  high  degree  of  configurability  with  respect  to  how 
the  distribution  and  other  usage  of  each  property  or  object  (or  one  or  more  portions  of  objects  or  properties  as  desired 
and/or  applicable)  will  be  controlled.  Each  VDE  participant  in  a  VDE  pathway  of  content  control  information  may  set 
methods  for  some  or  all  of  the  content  in  a  VDE  container,  so  long  as  such  control  information  does  not  conflict  with 
senior  control  information  already  in  place  with  respect  to: 

(1)  certain  or  all  VDE  managed  content, 

(2)  certain  one  or  more  VDE  users  and/or  groupings  of  users, 

(3)  certain  one  or  more  VDE  nodes  and/or  groupings  of  nodes,  and/or 

(4)  certain  one  or  more  VDE  applications  and/or  arrangements. 

For  example,  a  content  creator's  VDE  control  information  for  certain  content  can  take  precedence  over  other  submitted 
VDE  participant  control  information  and,  for  example,  if  allowed  by  senior  control  information,  a  content  distributor's 
control  information  may  itself  take  precedence  over  a  client  administrator's  control  information,  which  may  take 
precedence  over  an  end-user's  control  information.  A  path  of  distribution  participant's  ability  to  set  such  electronic 
content  control  information  can  be  limited  to  certain  control  information  (for  example,  method  mediating  data  such  as 
pricing  and/or  sales  dates)  or  it  may  be  limited  only  to  the  extent  that  one  or  more  of  the  participant's  proposed  control 
information  conflicts  with  control  information  set  by  senior  control  information  submitted  previously  by  participants 
in  a  chain  of  handling  of  the  property,  or  managed  in  said  participant's  VDE  secure  subsystem. 

VDE  control  information  may,  in  part  or  in  full,  (a)  represent  control  information  directly  put  in  place  by  VDE  content 
control  information  pathway  participants,  and/or  (b)  comprise  control  information  put  in  place  by  such  a  participant  on 
behalf  of  a  party  who  does  not  directly  handle  electronic  content  (or  electronic  appliance)  permissions  records 
information  (for  example  control  information  inserted  by  a  participant  on  behalf  of  a  financial  clearinghouse  or 
government  agency).  Such  control  information  methods  (and/or  load  modules  and/or  mediating  data  and/or  component 
assemblies)  may  also  be  put  in  place  by  either  an  electronic  automated,  or  a  semi-automated  and  human  assisted, 
control  information  (control  set)  negotiating  process  that  assesses  whether  the  use  of  one  or  more  pieces  of  submitted 
control  information  will  be  integrated  into  and/or  replace  existing  control  information  (and/or  chooses  between 
alternative  control  information  based  upon  interaction  with  in-place  control  information)  and  how  such  control 
information  may  be  used. 

Control  information  may  be  provided  by  a  party  who  does  not  directly  participate  in  the  handling  of  electronic  content 
(and/or  appliance)  and/or  control  information  for  such  content  (and/or  appliance.  Such  control  information  may  be 
provided  in  secure  form  using  VDE  installation  secure  sub-system  managed  communications  (including,  for  example, 
authenticating  the  deliverer  of  at  least  in  part  encrypted  control  information)  between  such  not  directly  participating 
one  or  more  parties'  VDE  installation  secure  subsystems,  and  a  pathway  of  VDE  content  control  information 
participant's  VDE  installation  secure  subsystem.  This  control  information  may  relate  to,  for  example,  the  right  to 
access  credit  supplied  by  a  financial  services  provider,  the  enforcement  of  regulations  or  laws  enacted  by  a 
government  agency,  or  the  requirements  of  a  customer  of  VDE  managed  content  usage  information  (reflecting  usage 
of  content  by  one  or  more  parties  other  than  such  customer)  relating  to  the  creation,  handling  and/or  manner  of 
reporting  of  usage  information  received  by  such  customer.  Such  control  information  may,  for  example,  enforce 
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societal  requirements  such  as  laws  related  to  electronic  commerce. 

VDE  content  control  information  may  apply  differently  to  different  pathway  of  content  and/or  control  information 
handling  participants.  Furthermore,  permissions  records  rights  may  be  added,  altered,  and/or  removed  by  a  VDE 
participant  if  they  are  allowed  to  take  such  action.  Rights  of  VDE  participants  may  be  defined  in  relation  to  specific 
parties  and/or  categories  of  parties  and/or  other  groups  of  parties  in  a  chain  of  handling  of  content  and/or  content 
control  information  (e.g.,  permissions  records).  Modifications  to  control  information  that  may  be  made  by  a  given, 
eligible  party  or  parties,  may  be  limited  in  the  number  of  modifications,  and/or  degree  of  modification,  they  may 
make. 

At  least  one  secure  subsystem  in  electronic  appliances  of  creators,  distributors,  auditors,  clearinghouses,  client 
administrators,  and  end-users  (understanding  that  two  or  more  of  the  above  classifications  may  describe  a  single  user) 
provides  a  "sufficiently"  secure  (for  the  intended  applications)  environment  for: 

1.  Decrypting  properties  and  control  information; 

2.  Storing  control  and  metering  related  information; 

3.  Managing  communications; 

4.  Processing  core  control  programs,  along  with  associated  data,  that  constitute  control  information  for  electronic 
content  and/or  appliance  rights  protection,  including  the  enforcing  of  preferences  and  requirements  of  VDE 
participants. 

Normally,  most  usage,  audit,  reporting,  payment,  and  distribution  control  methods  are  themselves  at  least  in  part 
encrypted  and  are  executed  by  the  secure  subsystem  of  a  VDE  installation.  Thus,  for  example,  billing  and  metering 
records  can  be  securely  generated  and  updated,  and  encryption  and  decryption  keys  are  securely  utilized,  within  a 
secure  subsystem.  Since  VDE  also  employs  secure  (e.g.  encrypted  and  authenticated)  communications  when  passing 
information  between  the  participant  location  (nodes)  secure  subsystems  of  a  VDE  arrangement,  important  components 
of  a  VDE  electronic  agreement  can  be  reliably  enforced  with  sufficient  security  (sufficiently  trusted)  for  the  intended 
commercial  purposes.  A  VDE  electronic  agreement  for  a  value  chain  can  be  composed,  at  least  in  part,  of  one  or  more 
subagreements  between  one  or  more  subsets  of  the  value  chain  participants.  These  subagreements  are  comprised  of 
one  or  more  electronic  contract  "compliance"  elements  (methods  including  associated  parameter  data)  that  ensure  the 
protection  of  the  rights  of  VDE  participants. 

The  degree  of  trustedness  of  a  VDE  arrangement  will  be  primarily  based  on  whether  hardware  SPUs  are  employed  at 
participant  location  secure  subsystems  and  the  effectiveness  of  the  SPU  hardware  security  architecture,  software 
security  techniques  when  an  SPU  is  emulated  in  software,  and  the  encryption  algorithm(s)  and  keys  that  are  employed 
for  securing  content,  control  information,  communications,  and  access  to  VDE  node  (VDE  installation)  secure 
subsystems.  Physical  facility  and  user  identity  authentication  security  procedures  may  be  used  instead  of  hardware 
SPUs  at  certain  nodes,  such  as  at  an  established  financial  clearinghouse,  where  such  procedures  may  provide  sufficient 
security  for  trusted  interoperability  with  a  VDE  arrangement  employing  hardware  SPUs  at  user  nodes. 

The  updating  of  property  management  files  at  each  location  of  a  VDE  arrangement,  to  accommodate  new  or  modified 
control  information,  is  performed  in  the  VDE  secure  subsystem  and  under  the  control  of  secure  management  file 
updating  programs  executed  by  the  protected  subsystem.  Since  all  secure  communications  are  at  least  in  part  encrypted 
and  the  processing  inside  the  secure  subsystem  is  concealed  from  outside  observation  and  interference,  the  present 
invention  ensures  that  content  control  information  can  be  enforced.  As  a  result,  the  creator  and/or  distributor  and/or 
client  administrator  and/or  other  contributor  of  secure  control  information  for  each  property  (for  example,  an  end-user 
restricting  the  kind  of  audit  information  he  or  she  will  allow  to  be  reported  and/or  a  financial  clearinghouse 
establishing  certain  criteria  for  use  of  its  credit  for  payment  for  use  of  distributed  content)  can  be  confident  that  their 
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contributed  and  accepted  control  information  will  be  enforced  (within  the  security  limitations  of  a  given  VDE  security 
implementation  design).  This  control  information  can  determine,  for  example: 

(1)  How  and/or  to  whom  electronic  content  can  be  provided,  for  example,  how  an  electronic  property  can  be 
distributed; 

(2)  How  one  or  more  objects  and/or  properties,  or  portions  of  an  object  or  property,  can  be  directly  used,  such  as 
decrypted,  displayed,  printed,  etc; 

(3)  How  payment  for  usage  of  such  content  and/or  content  portions  may  or  must  be  handled;  and 

(4)  How  audit  information  about  usage  information  related  to  at  least  a  portion  of  a  property  should  be  collected, 
reported,  and/or  used. 

Seniority  of  contributed  con 


